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My Fellow Americans: 

The way business is transacted, government operates, and national defense is 
conducted have changed. These activities now rely on an interdependent network 
of information technology infrastructures called cyberspace. The National Strategy 
to Secure Cyberspace provides a framework for protecting this infrastructure that is 

essential to our economy, security, and way of life. 

In the past few years, threats in cyberspace have risen dramatically. The policy of 
the United States is to protect against the debilitating disruption of the operation 
of information systems for critical infrastructures and, thereby, help to protect the 
people, economy, and national security of the United States. We must act to reduce 
our vulnerabilities to these threats before they can be exploited to damage the 
cyber systems supporting our Nation's critical infrastructures and ensure that such 
disruptions of cyberspace are infrequent, of minimal duration, manageable, and 
cause the least damage possible. 

Securing cyberspace is an extraordinarily difficult strategic challenge that requires a 
coordinated and focused effort from our entire society — the federal government, 
state and local governments, the private sector, and the American people. To 
engage Americans in securing cyberspace, a draft version of this strategy was 
released for public comment, and ten town hall meetings were held around the 
Nation to gather input on the development of a national strategy. Thousands of 
people and numerous organizations participated in these town hall meetings and 
responded with comments. I thank them all for their continuing participation. 

The cornerstone of America's cyberspace security strategy is and will remain a 
public-private partnership. The federal government invites the creation of, and 
participation in, public-private partnerships to implement this strategy. Only by 
acting together can we build a more secure future in cyberspace. 
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Executive Summary 



0 ur N ation's critical infrastructures are 
composed of public and private institutions in 
the sectors of agriculture, food, water, public 
health, emergency services, government, defense 
industrial base, information and telecommuni- 
cations, energy, transportation, banking and 
finance, chemicals and hazardous materials, and 
postal and shipping. Cyberspace is their nervous 
system— the control system of our country 
Cyberspace is composed of hundreds of 
thousands of interconnected computers, servers, 
routers, switches, and fiber optic cables that 
allow our critical infrastructures to work. Thus, 
the healthy functioning of cyberspace is 
essential to our economy and our national 
security 



This National Strategy to Secure Cyberspace is 
part of our overall effort to protect the N ation. 
It is an implementing component of the 
N ational Strategy for H omdand Security and is 
complemented by a N ational Strategy for the 
Physical Protedion of Critial I nfrastruduresand 
K ey Assets. T he purpose of this document is to 
engage and empower A mericans to secure the 
portions of cyberspace that they own, operate, 
control, or with which they interact. Securing 
cyberspace is a difficult strategic challenge that 
requires coordinated and focused effort from 
our entire society— the federal government, 
state and local governments, the private sector, 
and the American people. 
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T he N ati onal Strategy to Secure C yberspace 
outlines an initial framework for both organ- 
izing and prioritizing efforts. It provides 
direction to the federal government depart- 
ments and agencies that have roles in 
cyberspace security. It also identifies steps that 
state and local governments, private companies 
and organizations, and individual Americans 
can take to improve our collective cybersecurity 
The Strategy highlights the role of public- 
private engagement. T he document provides a 
framework for the contri butions that we al I can 
make to secure our parts of cyberspace. T he 
dynamics of cyberspace will require adjustments 
and amendments to the Strategy over time. 

T he speed and anonymity of cyber attacks 
makes distinguishing among the actions of 
terrorists, criminals, and nation states difficult, a 
task which often occurs only after the fact, if at 
al I. T herefore, the N ational Strategy to Secure 
Cyberspace helps reduce our Nation's vulnera- 
bility to debilitating attacks against our critical 
information infrastructures or the physical 
assets that support them. 

Strategic Objectives 

Consistent with the N ational Strategy for 
H omeland Security, the strategic objectives 
of this N ational Strategy to Secure Cyberspace 
are to: 

• Prevent cyber attacks against A merica's 
critical infrastructures; 

• Reduce national vulnerability to cyber 
attacks; and 

•M inimize damage and recovery time from 
cyber attacks that do occur. 

Threat and Vulnerability 

0 ur economy and national security are fully 
dependent upon information technology and 
the information infrastructure. At the core of 
the information infrastructure upon which we 
depend is the Internet, a system originally 



designed to share unclassified research among 
scientists who were assumed to be uninterested 
in abusing the network. It is that same Internet 
that today connects millions of other computer 
networks making most of the nation's essential 
services and infrastructures work. T hese 
computer networks also control physical objects 
such as electrical transformers, trains, pipeline 
pumps, chemical vats, radars, and stock 
markets, all of which exist beyond cyberspace. 

A spectrum of malicious actors can and do 
conduct attacks against our critical information 
infrastructures. Of primary concern isthe threat 
of organized cyber attacks capable of causing 
debilitating disruption to our Nation's critical 
infrastructures, economy, or national security 
T he required technical sophistication to carry 
out such an attack is high— and partially 
explains the lack of a debilitating attack to date. 
We should not, however, be too sanguine. T here 
have been instances where organized attackers 
have exploited vulnerabilities that may be 
indicative of more destructive capabilities. 

Uncertainties exist as to the intent and full 
technical capabilities of several observed 
attacks. E nhanced cyber threat analysis is 
needed to address long-term trends related to 
threats and vulnerabilities. W hat is known is 
that the attack tools and methodologies are 
becoming widely available, and the technical 
capability and sophistication of users bent on 
causing havoc or disruption is improving. 

In peacetime A merica's enemies may conduct 
espionage on our G overnment, university 
research centers, and private companies. T hey 
may also seek to prepare for cyber strikes during 
a confrontation by mapping U.S. information 
systems, identifying key targets, and lacing our 
infrastructure with back doors and other means 
of access. I n wartime or crisis, adversaries may 
seek to intimidate the Nation's political leaders 
by attacking critical infrastructures and key 
economic functions or eroding public confi- 
dence in information systems. 
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Cyber attacks on U nited States information 
networks can have serious consequences such as 
disrupting critical operations, causing loss of 
revenue and intellectual property, or loss of life. 
Countering such attacks requires the devel- 
opment of robust capabilities where they do not 
exist today if we are to reduce vulnerabilities 
and deter those with the capabilities and intent 
to harm our critical infrastructures. 

The Government Role in Securing 
Cyberspace 

In general, the private sector is best equipped 
and structured to respond to an evolving cyber 
threat. T here are specific instances, however, 
where federal government response is most 
appropriate and justified. Looking inward, 
providing continuity of government requires 
ensuring the safety of its own cyber infra- 
structure and those assets required for 
supporting its essential missions and services. 
Externally a government role in cybersecurity is 
warranted in cases where high transaction costs 
or legal barriers lead to significant coordination 
problems; cases in which governments operate 
in the absence of private sector forces; 
resolution of incentive problems that lead to 
under provisioning of critical shared resources; 
and raising awareness. 

Public- private engagement is a key component 
of our Strategy to secure cyberspace. T his is 
true for several reasons. Public- private partner- 
ships can usefully confront coordination 
problems. T hey can significantly enhance 
information exchange and cooperation. 
Public- private engagement will take a variety 
of forms and will address awareness, training, 
technological improvements, vulnerability 
remediation, and recovery operations. 

A federal role in these and other cases is only 
justified when the benefits of intervention 
outweigh the associated costs. This standard is 
especially important in cases where there are 
viable private sector solutions for addressing any 
potential threat or vulnerability For each case. 



consideration should be given to the broad- 
based costs and impacts of a given government 
action, versus other alternative actions, versus 
non-action, taking into account any existing or 
future private solutions. 

Federal actions to secure cyberspace are 
warranted for purposes including: forensics and 
attack attribution, protection of networks and 
systems critical to national security indications 
and warnings, and protection against organized 
attacks capable of inflicting debilitating damage 
to the economy Federal activities should also 
support research and technology development 
that will enable the private sector to better 
secure privately- owned portions of the N ation's 
critical infrastructure. 

Department of Homeland Security and 
Cyberspace Security 

0 n N ovember 25, 2002, President Bush signed 
legislation creating the D epartment of 
H omeland Security (DH S). This new cabinet- 
level department will unite 22 federal entities 
for the common purpose of improving our 
homeland security T he Secretary of D H S will 
have important responsibilities in cyberspace 
security T hese responsi bi I ities i nclude: 

• Developing a comprehensive national plan 
for securing the key resources and critical 
infrastructure of the U nited States; 

• Providing crisis management in response 
to attacks on critical information systems; 

• Providing technical assistance to the 
private sector and other government 
entities with respect to emergency 
recovery plans for failures of critical infor- 
mation systems; 

• C oordinating with other agencies of the 
federal government to provide specific 
warning information and advice about 
appropriate protective measures and 
countermeasuresto state, local, and 
nongovernmental organizations including 
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the private sector, academia, and the 
public; and 

• Performing and funding research and 
development along with other agencies 
that will lead to new scientific under- 
standing and technologies in support of 
homeland security. 

Consistent with these responsibilities, D H S will 
become a federal center of excellence for cyber- 
security and provide a focal point for federal 
outreach to state, local, and nongovernmental 
organizations including the private sector, 
academia, and the public. 

Critical Priorities for Cyberspace 
Security 

T he N at! onal Strategy to Secure C yberspace 
articulates five national priorities including: 

I. A National Cyberspace Security 
Response System; 

I I . A N ational C yberspace Security T hreat 
and Vulnerability Reduction Program; 

I I I . A N ational Cyberspace Security 
Awareness and Training Program; 

IV. Securing Governments' Cyberspace; and 

V. National Security and International 
Cyberspace Security Cooperation. 

The first priority focuses on improving our 
response to cyber incidents and reducing the 
potential damage from such events. T he second, 
third, and fourth priorities aim to reduce threats 
from, and our vulnerabilities to, cyber attacks. 
T he fifth priority is to prevent cyber attacks 
that could impact national security assets and to 
improve the international management of and 
response to such attacks. 



Priority I: A National Cyberspace 
Security Response System 

Rapid identification, information exchange, and 
remediation can often mitigate the damage 
caused by malicious cyberspace activity For 
those activities to be effective at a national level, 
the U nited States needs a partnership between 
government and industry to perform analyses, 
issue warnings, and coordinate response efforts. 
Privacy and civil liberties must be protected in 
the process. Because no cybersecurity plan can 
be impervious to concerted and intelligent 
attack, information systems must be able to 
operate while under attack and have the 
resilience to restore full operations quickly 

The National Strategy to Secure Cyberspace 
identifies eight major actions and initiatives for 
cyberspace security response: 

1. Establish a public- private architecture for 
responding to national- level cyber 
incidents; 

2. Provide for the development of tactical 
and strategic analysis of cyber attacks and 
vul nerabi I ity assessments; 

3. E ncourage the development of a private 
sector capability to share a synoptic view 
of the health of cyberspace; 

4. Expand the Cyber Warning and 

I nformation N etwork to support the role 
of D H S in coordinating crisis 
management for cyberspace security; 

5. Improve national incident management; 

6. C oordinate processes for voluntary 
participation in the development of 
national public- private continuity and 
contingency plans; 

7. Exercise cybersecurity continuity plans 
for federal systems; and 

8. Improve and enhance public- private 
information sharing involving cyber 
attacks, threats, and vulnerabilities. 
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Priority II: A National Cyberspace 
Security Threat and Vulnerability 
Reduction Program 

By exploiting vulnerabilities in our cyber 
systems, an organized attack may endanger the 
security of our N ation's critical infrastructures. 
The vulnerabilities that most threaten cyber- 
space occur in the information assets of critical 
infrastructure enterprises themselves and their 
external supporting structures, such as the 
mechanisms of the I nternet. L esser-secured 
sites on the interconnected network of networks 
also present potentially significant exposures to 
cyber attacks. Vulnerabilities result from 
weaknesses in technology and because of 
improper implementation and oversight of 
technological products. 

T he N ational Strategy to Secure C yberspace 
identifies eight major actions and initiatives to 
reduce threats and related vulnerabilities: 



1. Enhance law enforcement's capabilities 
for preventing and prosecuting cyber- 
space attacks; 

2. C reate a process for national vulnerability 
assessments to better understand the 
potential consequences of threats and 
vulnerabilities; 

3. Secure the mechanisms of the I nternet by 
improving protocols and routing; 

4. Foster the use of trusted digital control 
systems/supervisory control and data 
acquisition systems; 

5. Reduce and remediate software vulnera- 
bilities; 

6. Understand infrastructure interdepen- 
denciesand improve the physical security 
of cyber systems and telecommunications; 

7. Prioritize federal cybersecurity research 
and development agendas; and 

8. A ssess and secure emerging systems. 

Priority III: A National Cyberspace 
Security Awareness and Training 
Program 

M any cyber vulnerabilities exist because of a 
lack of cybersecurity awareness on the part of 
computer users, systems administrators, 
technology developers, procurement officials, 
auditors, chief information officers (CI Os), 
chief executive officers, and corporate boards. 
Such awareness- based vulnerabilities present 
serious risks to critical infrastructures regardless 
of whether they exist within the infrastructure 
itself. A lack of trained personnel and the 
absence of widely accepted, multi- level 
certification programs for cybersecurity 
professionals complicate the task of addressing 
cyber vulnerabilities. 
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T he N ati onal Strategy to Secure C yberspace 
identifies four major actions and initiatives for 
awareness, education, and training: 

1. Promote a compreiiensive national 
awareness program to empower all 
A mericans— businesses, the general 
workforce, and the general population— 
to secure their own parts of cyberspace; 

2. Foster adequate training and education 
programs to support the N ation's cyberse- 
curity needs; 

3. 1 ncrease the efficiency of existing federal 
cybersecurity training programs; and 

4. Promote private- sector support for 
well- coordinated, widely recognized 
professional cybersecurity certifications. 

Priority IV: Securing Governments' 
Cyberspace 

Although governments administer only a 
minority of the Nation's critical infrastructure 
computer systems, governments at all levels 
perform essential services in the agriculture, 
food, water, public health, emergency services, 
defense, social welfare, information and 
telecommunications, energy, transportation, 
banking and finance, chemicals, and postal and 
shipping sectors that depend upon cyberspace 
for their delivery G overnments can lead by 
example in cyberspace security, including 
fostering a marketplace for more secure 
technologies through their procurement. 

The National Strategy to Secure Cyberspace 
Identifies five major actions and initiatives for 
the securing of governments' cyberspace: 

1. Continuously assess threats and vulnera- 
bilities to federal cyber systems; 

2. Authenticate and maintain authorized 
users of federal cyber systems; 

3. Secure federal wireless local area 
networks; 



4. Improve security in government 
outsourcing and procurement; and 

5. E ncourage state and local governments to 
consider establishing information 
technology security programs and partic- 
ipate in information sharing and analysis 
centers with similar governments. 

Priority V: National Security and 
International Cyberspace Security 
Cooperation 

A merica's cyberspace links the U nited States to 
the rest of the world. A network of networks 
spans the planet, allowing malicious actors on 
one continent to act on systems thousands of 
miles away. Cyber attacks cross borders at light 
speed, and discerning the source of malicious 
activity is difficult. A merica must be capable of 
safeguarding and defending its critical systems 
and networks. E nabi i ng our abi I ity to do so 
requires a system of international cooperation to 
facilitate information sharing, reduce vulnerabil- 
ities, and deter malicious actors. 

The National Strategy to Secure Cyberspace 
identifies six major actions and initiatives to 
strengthen U.S. national security and interna- 
tional cooperation: 

1. Strengthen cyber- related counterintelli- 
gence efforts; 

2. 1 mprove capabilities for attack attribution 
and response; 

3. 1 mprove coordination for responding to 
cyber attacks within the U.S. national 
security community; 

4. Work with industry and through interna- 
tional organizations to facilitate dialogue 
and partnerships among international 
public and private sectors focused on 
protecting information infrastructures 
and promoting a global "culture of 
security;" 
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5. Foster the establishment of national and 
international watch- and- warning 
networks to detect and prevent cyber 
attacks as they emerge; and 

6. E ncourage other nations to accede to the 
C ounci I of E urope C onvention on 

C ybercri me, or to ensure that thei r laws 
and procedures are at least as compre- 
hensive. 

A National Effort 

Protecting the widely distributed assets of 
cyberspace requires the efforts of many 
A mericans. T he federal government alone 
cannot sufficiently defend America's cyberspace. 
0 ur traditions of federalism and limited 
government require that organizations outside 
the federal government take the lead in many of 
these efforts. E very A merican who can 
contribute to securing part of cyberspace is 
encouraged to do so. T he federal government 
invites the creation of, and participation in, 
public- private partnerships to raise cyberse- 
curity awareness, train personnel, stimulate 
market forces, improve technology identify and 
remediate vulnerabilities, exchange information, 
and plan recovery operations. 

People and organizations across the U nited 
States have already taken steps to improve 
cyberspace security 0 n September 18, 2002, 
many private- sector entities released plans and 
strategies for securing their respective infra- 
structures. T he Partnership for C ritical 
Infrastructure Security has played a unique role 
in facilitating private- sector contributions to 



this Strategy Inputs from the critical sector's 
themselves can be found at 
http://www.pcis.org. (T hese documents 
were not subject to government approval.) 

T hese comprehensive infrastructure plans 
describe the strategic initiatives of various 
sectors, including: 

• Banking and Finance; 

• I nsu ranee; 

• Chemical; 
•Oil and Gas; 
•Electric; 

• L aw E nforcement; 

• H igher Education; 
•Transportation (Rail); 

• I nformation Technology and 
Telecommunications; and 

•Water. 

As each of the critical infrastructure sectors 
implements these initiatives, threats and vulner- 
abilities to our infrastructures will be reduced. 

For the foreseeable future two things will be 
true: A merica will rely upon cyberspace and the 
federal government will seek a continuing broad 
partnership with the private sector to develop, 
implement, and refine a N ational Strategy to 
Secure Cyberspace. 
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A Nation in Cyberspace 

0 ur N ation's critical infrastructures consist of 
the physical and cyber assets of public and 
private institutions in several sectors: 
agriculture, food, water, public health, 
emergency services, government, defense indus- 
trial base, information and telecommunications, 
energy transportation, banking and finance, 
chemicals and hazardous materials, and postal 
and shipping. Cyberspace is the nervous system 
of these infrastructures— the control system of 
our country Cyberspace comprises hundreds of 
thousands of interconnected computers, servers, 
routers, switches, and fiber optic cables that 
make our critical infrastructures work. T hus, the 
healthy functioning of cyberspace is essential to 



our economy and our national security 
U nfortunately recent events have highlighted 
the existence of cyberspace vulnerabilities and 
the fact that malicious actors seek to exploit 
them. (See, CyberspaceThreatsand 
Vulnerabilities.) 

This National Strategy to Secure Cyberspace is 
part of an overall effort to protect the N ation. It 
is an implementing component of the N ational 
Strategy for H omeland Security and is comple- 
mented by the National Strategy for the Physical 
Protedion of Critial Infrastructures and Key 
Assets T he purpose of this document is to 
engage and empower A mericans to secure the 
portions of cyberspace that they own, operate, 
or control, or with which they interact. Securing 
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cyberspace is a difficult strategic challenge that 
requires coordinated and focused effort from 
our entire society— the federal government, 
state and local governments, the private sector, 
and the American people. 

A Unique Problem, a Unique Process 

M ost critical infrastructures, and the cyberspace 
on which they rely are privately owned and 
operated. T he technologies that create and 
support cyberspace evolve rapidly from private- 
sector and academic innovation. G overnment 
alone cannot sufficiently secure cyberspace. 
Thus, President Bush has called for voluntary 
partnerships among government, industry 
academia, and nongovernmental groups to 
secure and defend cyberspace. (See, N ational 
Policy and Guiding Prindples.) 

In recognition of this need for partnership, the 
process to develop the N ational Strategy to 
Secure Cyberspace included soliciting views from 
both the public and private sectors. To do so, 
the W hite H ouse sponsored town hall meetings 
on cyberspace security in ten metropolitan 
areas. Consequently individual sectors (e.g., 
higher education, state and local government, 
banking and finance) formed workgroups to 
create initial sector- specific cyberspace security 
strategies. Additionally the W hite H ouse 
created a Presidential advisory panel, the 
National Infrastructure Advisory Council, 
consisting of leaders from the key sectors of the 
economy government, and academia. T he 
President's National Security 
Telecommunications Advisory Committee 
reviewed and commented on the Strategy. 

In September 2002, the President's Critical 
Infrastructure Protection Board sought 
comments from individuals and institutions 
nationwide by placing a draft version of the 
Strategy online for review. T housands partici- 
pated in the town hall meetings and provided 
comments online. Their comments contributed 
to shaping the Strategy by narrowing its focus 
and sharpening its priorities. 



This process recognizes that we can only secure 
cyberspace successfully through an inclusive 
national effort that engages major institutions 
throughout the country T he federal 
government designed the Strategy development 
process to raise the N ation's level of awareness 
of the importance of cybersecurity Its intent 
was to produce a Strategy that many A mericans 
could feel they had a direct role in developing, 
and to which they would be committed. 

A Ithough the redrafting process reflects many 
of the comments provided, not everyone will 
agree with each component of the N ational 
Strategy to Secure Cyberspace. M any issues could 
not be addressed in detail, and others are not 
yet ripe for national policy T he Strategy is not 
immutable; actions will evolve as technologies 
advance, as threats and vulnerabilities change, 
and as our understanding of the cybersecurity 
issues improves and clarifies. A national 
dialogue on cyberspace security must therefore 
continue. 

In the weeks following the release of the draft 
Strategy, C ongress approved the creation of the 
D epartment of H omeland Security (D H S), 
assigned to it many agencies that are active in 
cybersecurity and directed it to perform new 
cybersecurity missions. T his Strategy reflects 
those changes. Congress passed and the 
President signed the Cyber Security Researdi and 
Development Act (Public Law 107-305), author- 
izing a multi-year effort to create more secure 
cyber technologies, to expand cybersecurity 
research and development, and to improve the 
cybersecurity workforce. 

Five National Cyberspace Security 
Priorities 

T he N ational Strategy to Secure C yberspace is a 
call for national awareness and action by 
individuals and institutions throughout the 
U nited States, to increase the level of cyberse- 
curity nationwide and to implement continuous 
processes for identifying and remedying cyber 
vulnerabilities. Its framework is an agenda of 
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five broad priorities that require widespread 
voluntary participation. Each individual 
program consists of several components, many 
of which were drawn from the draft Strategy's 
recommendations and related public comments. 

Addressing these priorities requires the 
leadership of D H S as well as several other key 
federal departments and agencies. A s part of 
the Office of M anagement and Budget 
(0 M B)-led budget process, and with the 
support of C ongress, these departments and 
agencies now have the task of translating the 
Strategy's recommendations into actions. 

Corporations, universities, state and local 
governments, and other partners are also 
encouraged to take actions consistent with these 
five national cyberspace security priorities, both 
independently and in partnership with the 
federal government. Each private- sector organi- 
zation must make its own decisions based on 
cost effectiveness analysis and risk- management 
and mitigation strategies. 

The National Strategy to Secure Cyberspace artic- 
ulates five national priorities. T he first priority 
focuses on improving our ability to respond to 
cyber incidents and reduce the potential 
damage from such events. T he second, third, 
and fourth priorities aim to reduce the numbers 
of cyber threats and our overall vulnerability to 
cyber attacks. T he fifth priority focuses on 
preventing cyber attacks with the potential to 
impact national security assets and improving 
international management of and response to 
such attacks. 

Priority I: A l\lational Cyberspace 
Security Response System 

Rapid identification, information exchange, and 
remediation can often mitigate the damage 
caused by malicious cyberspace activity For 
those activities to take place effectively at a 
national level, the U nited States requires a 
partnership between government and industry 
to perform analyses, issue warnings, and 



coordinate response efforts. Privacy and civil 
liberties must be protected in the process. 
Because no cybersecurity plan can be imper- 
vious to concerted and intelligent attacks, 
information systems must be able to operate 
while under attack and also have the resilience 
to restore full operations in their wake. To 
prepare for the possibility of major cyber 
attacks, America needs a national cyber disaster 
recovery plan. T he N ational Cyberspace 
Security Response System will involve public 
and private institutions and cyber centers to 
perform analysis, conduct watch and warning 
activities, enable information exchange, and 
facilitate restoration efforts. 

Priority II: A National Cyberspace 
Security Threat and Vulnerability 
Reduction Program 

By exploiting vulnerabilities in our cyber 
systems, an organized cyber attack may 
endanger the security of our N ation's critical 
i nf rastructures. C yberspace vul nerabi I ities occur 
in the critical infrastructure enterprises and 
government departments themselves, in their 
external supporting structures (such as the 
mechanisms of the Internet), and in unsecured 
sites across the interconnected network of 
networks. Vulnerabilities exist for several 
reasons including technological weaknesses, 
poor security- control implementation, and 
absences of effective oversight. 

A N ational Cyberspace Security T hreat and 
Vulnerability reduction program will include 
coordinated national efforts conducted by 
governments and the private sector to identify 
and remediate the most serious cyber vulnera- 
bilities through collaborative activities, such as 
sharing best practices and evaluating and imple- 
menting new technologies. Additional program 
components will include raising cybersecurity 
awareness, increasing criminal justice activities, 
and developing national security programs to 
deter future cyber threats. 
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Priority III: A National Cyberspace 
Security Awareness and Training 
Program 

M any information-system vulnerabilities exist 
because of a lack of cyberspace security 
awareness on the part of computer users, 
systems administrators, technology developers, 
procurement officials, auditors, chief infor- 
mation officers, chief executive officers, and 
corporate boards. T hese vulnerabilities can 
present serious risks to the infrastructures even 
if they are not actually part of the infrastructure 
itself. A lack of trained personnel and the 
absence of widely accepted, multi-level certifi- 
cations for personnel further complicate the 
task of reducing vulnerabilities. 

The National Cyberspace Security Awareness 
and Training Program will raise cybersecurity 
awareness in companies, government agencies, 
universities, and among the N ation's computer 
users. It will further address shortfalls in the 
numbers of trained and certified cybersecurity 
personnel. 

Priority IV: Securing Governments' 
Cyberspace 

A Ithough govern ments adm i ni ster on ly a 
minority of the Nation's critical infrastructure 
computer systems, governments at all levels 
perform essential services that rely on each of 
the critical infrastructure sectors, which are 
agriculture, food, water, public health, 
emergency services, government, defense indus- 
trial base, information and telecommunications, 
energy transportation, banking and finance, 
chemicals and hazardous materials, and postal 
and shipping. W ith respect to investment in 
cyberspace security government can lead by 



example by fostering a marketplace for more 
secure technologies through large procurements 
of advanced information assurance technologies. 
A program to implement such products will 
help to ensure that federal computer systems 
and networks are secure. T he federal 
government will also assist state and local 
governments with cybersecurity awareness, 
training, and information exchange. 

Priority V: National Security and 
International Cyberspace Security 
Cooperation 

A merica's cyberspace links the U nited States to 
the rest of the world. A network of networks 
spans the planet, allowing malicious actors on 
one continent to act on systems thousands of 
miles away Cyber attacks cross borders at light 
speed, and discerning the source of malicious 
activity is difficult. A merica must be capable of 
safeguarding and defending its critical systems 
and networks— regardless of where an attack 
originates. Facilitating our ability to do so 
requires a system of international cooperation to 
enable the information sharing, reduce vulnera- 
bilities, and deter malicious actors. 

Actions and Recommendations 

T he Strategy highlights actions that the federal 
government will take and makes recommenda- 
tions to our partners in nongovernmental 
organizations. T he actions and recommenda- 
tions (A/R) are italicized throughout the 
Strategy and numbered according to the 
associated priority For example A/R 1-1 is the 
first action or recommendation in Priority I . 
A ppendix A provides a summary of all of the 
A /Rs proposed. 
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Cyberspace Threats and Vulnerabilities 



A Case for Action 

T he terrorist attacks against the U nited States 
that took place on September 11, 2001, had a 
profound impact on our N ation. T he federal 
government and society as a whole have been 
forced to reexamine conceptions of security on 
our home soil, with many understanding only 
for the first time the lengths to which self- 
designated enemies of our country are willing to 
go to inflict debilitating damage. 

We must move forward with the understanding 
that there are enemies who seek to inflict 
damage on our way of life. T hey are ready to 
attack us on our own soil, and they have shown 
a willingness to use unconventional means to 
execute those attacks. W hile the attacks of 



September 11 were physical attacks, we are 
facing increasing threats from hostile adver- 
saries in the realm of cyberspace as well. 

A Nation Now Fully Dependent on 
Cyberspace 

For the U nited States, the information 
technology revolution quietly changed the way 
business and government operate. W ithout a 
great deal of thought about security the N ation 
shifted the control of essential processes in 
manufacturing, utilities, banking, and commu- 
nications to networked computers. Asa result, 
the cost of doing business dropped and 
productivity skyrocketed. T he trend toward 
greater use of networked systems continues. 
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By 2003, our economy and national security 
became fully dependent upon information 
technology and the information infrastructure. 
A network of networks directly supports the 
operation of all sectors of our economy— energy 
(electric power, oil and gas), transportation (rail, 
air, merchant marine), finance and banking, 
information and telecommunications, public 
health, emergency services, water, chemical, 
defense industrial base, food, agriculture, and 
postal and shipping. T he reach of these 
computer networks exceeds the bounds of 
cyberspace. T hey also control physical objects 
such as electrical transformers, trains, pipeline 
pumps, chemical vats, and radars. 

Threats in Cyberspace 

A spectrum of malicious actors can and do 
conduct attacks against our critical information 
infrastructures. Of primary concern is the threat 
of organized cyber attacks capable of causing 
debilitating disruption to our Nation's critical 
infrastructures, economy or national security 
The required technical sophistication to carry 
out such an attack is high— and partially 
explains the lack of a debilitating attack to date. 
We should not, however, be too sanguine. T here 
have been instances where attackers have 
exploited vulnerabilities that may be indicative 
of more destructive capabilities. 

U ncertainties exist as to the intent and full 
technical capabilities of several observed 
attacks. E nhanced cyber threat analysis is 
needed to address long-term trends related to 
threats and vulnerabilities. W hat is known is 
that the attack tools and methodologies are 
becoming widely available, and the technical 
capability and sophistication of users bent on 
causing havoc or disruption is improving. 

As an example, consider the"NIM DA" 
("A D M I N " spelled backwards) attack. D espite 
the fact that N I M DA did not create a 
catastrophic disruption to the critical infra- 
structure, it is a good example of the increased 
technical sophistication showing up in cyber 



attacks. It demonstrated that the arsenal of 
weapons available to organized attackers now 
contains the capability to learn and adapt to its 
local environment. N I M DA was an automated 
cyber attack, a blend of a computer worm and a 
computer virus. It propagated across the Nation 
with enormous speed and tried several different 
ways to infect computer systems it invaded until 
it gained access and destroyed files. It went 
from nonexistent to nationwide in an hour, 
lasted for days, and attacked 86,000 computers. 

Speed is also increasing. Consider that two 
months before N I M D A , a cyber attack called 
Code Red infected 150,000 computer systems 
in 14 hours. 

Because of the increasing sophistication of 
computer attack tools, an increasing number of 
actors are capable of launching nationally 
significant assaults against our infrastructures 
and cyberspace. In peacetime America's enemies 
may conduct espionage on our G overnment, 
university research centers, and private 
companies. T hey may also seek to prepare for 
cyber strikes during a confrontation by mapping 
U.S. information systems, identifying key 
targets, lacing our infrastructure with back 
doors and other means of access. I n wartime or 
crisis, adversaries may seek to intimidate the 
nation's political leaders by attacking critical 
infrastructures and key economic functions or 
eroding public confidence in information 
systems. 

Cyber attacks on U.S. information networks can 
have serious consequences such as disrupting 
critical operations, causing loss of revenue and 
intellectual property or loss of life. Countering 
such attacks requires the development of robust 
capabilities where they do not exist today if we 
are to reduce vulnerabilities and deter those 
with the capabilities and intent to harm our 
critical infrastructures. 

C yberspace provides a means for organized 
attack on our infrastructure from a distance. 
T hese attacks require only commodity 
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technology, and enable attackers to obfuscate 
their identities, locations, and paths of entry. 
Not only does cyberspace provide the ability to 
exploit weaknesses in our critical infrastructures, 
but it also provides a fulcrum for leveraging 
physical attacks by allowing the possibility of 
disrupting communications, hindering U.S. 
defensive or offensive response, or delaying 
emergency responders who would be essential 
following a physical attack. 

In the last century geographic isolation helped 
protect the U nited States from a direct physical 
invasion. In cyberspace national boundaries 
have little meaning. Information flows continu- 
ously and seamlessly across political, ethnic, and 
religious divides. Even the infrastructure that 
makes up cyberspace— software and hardware- 
is global in its design and development. Because 
of the global nature of cyberspace, the vulnera- 
bilities that exist are open to the world and 
available to anyone, anywhere, with sufficient 
capability to exploit them. 

Reduce Vulnerabilities in the Absence 
of Know n Threats 

W hile the Nation's critical infrastructures 
must, of course, deal with specific threats as 
they arise, waiting to learn of an imminent 
attack before addressing important critical 
infrastructure vulnerabilities is a risky and 
unacceptable strategy Cyber attacks can burst 
onto the N ation's networks with little or no 
warning and spread so fast that many victims 
never have a chance to hear the alarms. E ven 
with forewarning, they likely would not have 
had the time, knowledge, or tools needed 
to protect themselves. I n some cases creating 
defenses against these attacks would have 
taken days. 

A key lesson derived from these and other such 
cyber attacks is that organizations that rely on 
networked computer systems must take 
proactive steps to identify and remedy their 
vulnerabilities, rather than waiting for an 
attacker to be stopped or until alerted of an 



impending attack. Vulnerability assessment and 
remediation activities must be ongoing. An 
information technology security audit 
conducted by trained professionals to identify 
infrastructure vulnerabilities can take months. 
Subsequently the process of creating a multi- 
layered defense and a resilient network to 
remedy the most serious vul nerabi I ities could 
take several additional months. T he process 
must then be regularly repeated. 

Threat and Vulnerability: A Five-Level 
Problem 

M anaging threat and reducing vulnerability in 
cyberspace is a particularly complex challenge 
because of the number and range of different 
types of users. Cyberspace security requires 
action on multiple levels and by a diverse group 
of actors because literally hundreds of millions 
of devices are interconnected by a network of 
networks. T he problem of cyberspace security 
can be best addressed on five levels. 

Level 1, the H ome User/ Small Business 

T hough not a part of a critical infrastructure 
the computers of home users can become part 
of networks of remotely controlled machines 
that are then used to attack critical infrastruc- 
tures. Undefended home and small business 
computers, particularly those using digital 
subscriber line (DSL) or cable connections, are 
vulnerable to attackers who can employ the use 
of those machines without the owner's 
knowledge. G roups of such "zombie" machines 
can then be used by third- party actors to launch 
denial- of- service (D oS) attacks on key I nternet 
nodes and other important enterprises or 
critical infrastructures. 

L evel 2, L arge E nterprlses 

L arge- scale enterprises (corporations, 
government agencies, and universities) are 
common targets for cyber attacks. M any such 
enterprises are part of critical infrastructures. 
E nterprlses require clearly articulated, active 
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information security policies and programs to 
audit compliance with cybersecurity best 
practices. According to the U.S. intelligence 
community American networks will be increas- 
ingly targeted by malicious actors both for the 
data and the power they possess. 

L evel 3, C ritical Sectors/I nfrastructures 

W hen organizations in sectors of the economy 
government, or academia unite to address 
common cybersecurity problems, they can often 
reduce the burden on individual enterprises. 
Such collaboration often produces shared insti- 
tutions and mechanisms, which, in turn, could 
have cyber vulnerabilities whose exploitation 
could directly affect the operations of member 
enterprises and the sector as a whole. 
E nterprises can also reduce cyber risks by 
participating in groups that develop best 
practices, evaluate technological offerings, 
certify products and services, and share infor- 
mation. 

Several sectors have formed Information 
Sharing and Analysis Centers (I SAC s) to 
monitor for cyber attacks directed against their 
respective infrastructures. I SAC s are also a 
vehicle for sharing information about attack 
trends, vulnerabilities, and best practices. 

L evel 4, N ational I ssues and Vulnerabilities 

Some cybersecurity problems have national 
implications and cannot be solved by individual 
enterprises or infrastructure sectors alone. A II 
sectors share the I nternet. Accordingly they are 
all at risk if its mechanisms (e.g., protocols and 
routers) are not secure. Weaknesses in widely 
used software and hardware products can also 
create problems at the national level, requiring 
coordinated activities for the research and 
development of improved technologies. 
Additionally the lack of trained and certified 
cybersecurity professionals also merits national- 
level concern. 



Level 5, Global 

T he worldwide web is a planetary information 
grid of systems. I nternationally shared standards 
enable interoperability among the world's 
computer systems. T his interconnectedness, 
however, also means that problems on one 
continent have the potential to affect computers 
on another. We therefore rely on international 
cooperation to share information related to 
cyber issues and, further, to prosecute cyber 
criminals. W ithout such cooperation, our 
collective ability to detect, deter, and minimize 
the effects of cyber- based attacks would be 
greatly diminished. 

New Vulnerabilities Requiring 
Continuous Response 

N ew vulnerabilities are created or discovered 
regularly T he process of securing networks and 
systems, therefore, must also be continuous. 
T he C omputer E mergency Response 
Team/Coordination Center (CERT /CO notes 
that not only are the numbers of cyber incidents 
and attacks i ncreasi ng at an alarming rate, so 
too are the numbers of vulnerabilities that an 
attacker could exploit. Identified computer 
security vul nerabi I ities— faults i n software and 
hardware that could permit unauthorized 
network access or allow an attacker to cause 
network damage— i ncreased significantly from 
2000 to 2002, with the number of vulnerabil- 
ities going from 1,090 to 4,129. 

T he mere installation of a network security 
device is not a substitute for maintaining and 
updating a network's defenses. N inety percent 
of the participants in a recent Computer 
Security I nstitute survey reported using 
antivirus software on their network systems, yet 
85 percent of their systems had been damaged 
by computer viruses. I n the same survey 89 
percent of the respondents had installed 
computer firewalls, and 60 percent had 
intrusion detection systems. Nevertheless, 90 
percent reported that security breaches had 
taken place, and 40 percent of their systems had 
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Roles and Responsibilites in Securing Cyberspace 
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been penetrated from outside their network. 

The majority of security vulnerabilities can be 
mitigated through good security practices. As 
these survey numbers indicate, however, 
practicing good security includes more than 
simply installing those devices. It also requires 
operating them correctly and keeping them 
current through regular patching and virus 
updates. 

Cybersecurity and Opportunity Cost 

For individual companies and the national 
economy as a whole, improving computer 
security requires investing attention, time, and 
money For fiscal year 2003, President Bush 
requested that C ongress increase funds to 
secure federal computers by 64 percent. 
President Bush's investment in securing federal 
computer networks now will eventually reduce 
overall expenditures through cost-saving 
E -Government solutions, modern enterprise 
management, and by reducing the number of 
opportunities for waste and fraud. 



For the national economy— particularly 
its information technology industry 
component— the dearth of trusted, reliable, 
secure information systems presents a barrier to 
future growth. M uch of the potential for 
economic growth made possible by the 
information technology revolution has yet to be 
realized— deterred in part by cyberspace 
security risks. Cyberspace vulnerabilities place 
more than transactions at risk; they jeopardize 
intellectual property business operations, 
infrastructure services, and consumer trust. 

Conversely cybersecurity investments result in 
more than costly overhead expenditures. T hey 
produce a return on investment. Surveys 
repeatedly show that: 

• A Ithough the I i kel i hood of sufferi ng a 
severe cyber attack is difficult to estimate, 
the costs associated with a successful one 
are likely to be greater than the investment 
in a cybersecurity program to prevent it; and 
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• Designing strong security protocols into 
the information systems architecture of an 
enterprise can reduce its overall opera- 
tional costs by enabling cost- saving 
processes, such as remote access and 
customer or supply- chain interactions, 
which could not occur in networks lacking 
appropriate security 

T hese results suggest that, with greater 
awareness of the issues, companies can benefit 
from increasing their levels of cybersecurity 
G reater awareness and voluntary efforts are 
critical components of the N ational Strategy to 
Secure Cyberspace. 

Individual and National Risk 
Management 

U ntil recently overseas terrorist networks had 
caused limited damage in the U nited States. 0 n 
September 11, 2001, that quickly changed. 0 ne 
estimate places the increase in cost to our 
economy from attacks to U.S. information 
systems at 400 percent over four years. W hile 
those losses remain relatively limited, that too 
could change abruptly 

Every day in the U nited States individual 
companies, and home computer users, suffer 
damage from cyber attacks that, to the victims, 
represent significant losses. Conditions likewise 
exist for relative measures of damage to occur 
on a national level, affecting the networks and 
systems on which the N ation depends: 

• Potential adversaries have the intent; 

•Tools that support malicious activities are 
broadly available; and, 

• Vulnerabilities of the N ation's systems are 
many and well known. 

No single strategy can completely eliminate 
cyberspace vulnerabilities and their associated 
threats. N evertheless, the N ation must act to 
manage risk responsibly and to enhance its 
ability to minimize the damage that results 



from attacks that do occur. T hrough this 
statement, we reveal nothing to potential foes 
that they and others do not already know. I n 
1997 a Presidential Commission identified the 
risks in a seminal public report. In 2000 the 
first national plan to address the problem was 
published. Citing these risks. President Bush 
issued an Executive 0 rder in 2001, making 
cybersecurity a priority and accordingly 
increasing funds to secure federal networks. 
I n 2002 the President moved to consolidate and 
strengthen federal cybersecurity agencies as 
part of the proposed D epartment of H omeland 
Security 



Vulnerabilities Reported: 1995 - 2002 

7,000 1 

6,000 



4,000 i 

3,000 

2,000 

1,000 

^,91 ^^■^ i??" r<^ t<f^ a*'^ 



Incidents Handled: 1988 - 2002 




^ ^<«^ ^,9» ^,,1 ^,,8 ^tffi ^\ ^^ 



lOTHE NATIONAL STRATEGY TO SECURE CYBERSPACE 



CYBERSPACE THREATS AND VULNERABILITIES 



Government Alone Cannot Secure 
Cyberspace 

D espite increased awareness around the 
importance of cybersecurity and the measures 
taken thus far to improve our capabilities, cyber 
risks continue to underlie our national infor- 
mation networks and the critical systems they 
manage. Reducing that risk requires an 
unprecedented, active partnership among 
diverse components of our country and our 
global partners. 



The federal government could not— and, 
indeed, should not— secure the computer 
networks of privately owned banks, energy 
companies, transportation firms, and other parts 
of the private sector. T he federal government 
should likewise not intrude into homes and 
small businesses, into universities, or state and 
local agencies and departments to create secure 
computer networks. Each American who 
depends on cyberspace, the network of 
information networks, must secure the part that 
they own or for which they are responsible. 
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National Policy and Guiding Principles 



National Policy, Principles, and 
Organization 

This section describes the national policy that 
shapes the N ational Strategy to Secure C yberspaos 
and the basic framework of principles within 
which it was developed. It also outlines the 
roles and missions of federal agencies. 

National Policy 

The information technology revolution has 
changed the way business is transacted, 
government operates, and national defense is 
conducted. T hese three functions now depend 
on an interdependent network of critical infor- 
mation infrastructures that we refer to as 
"cyberspace." 



It is the policy of the United States to prevent 
or minimize disruptions to critical information 
infrastructures and thereby protect the people, 
the economy the essential human and 
government services, and the national security 
of the U nited States. D isruptions that do occur 
should be infrequent, of minimal duration and 
manageable and cause the least damage 
possible. T he policy requires a continuous effort 
to secure information systems for critical infra- 
structure and includes voluntary public- private 
partnerships involving corporate and 
nongovernmental organizations. 

C onsi stent with the objectives of the N ational 
Strategy for H omdand Security, the objectives of 
the N ational Strategy to Secure Cyberspace are to: 
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• Prevent cyber attacks against our critical 
infrastructures; 

• Reduce our national vulnerabilities to 
cyber attack; and, 

•M inimize the damage and recovery time 
from cyber attacks that do occur. 

Guiding Principles 

In January 2001, the Administration began to 
review the role of information systems and 
cybersecurity I n 0 ctober 2001, President Bush 
issued ExecutiveO rder 13231, authorizing a 
protection program that consists of continuous 
efforts to secure information systems for critical 
infrastructure, including emergency 
preparedness communications and the physical 
assets that support such systems. T he Federal 
Information Security M anagement Act 
(F I SM A ) and E xecutive 0 rder 13231, together 
with other relevant Presidential directives and 
statutory authorities, provide the framework for 
executive branch cyberspace security 
activities. 

T he protection of these cyber systems is 
essential to every sector of the economy T he 
development and implementation of this 
program directive has been guided by the 
following organizing principles: 

1. A National Effort: Protecting the widely 
distributed assets of cyberspace requires 
the efforts of many A mericans. T he 
federal government alone cannot defend 
A merica's cyberspace. 0 ur traditions of 
federalism and limited government 
require that organizations outside the 
federal government take the lead in many 
of these efforts. T he government's role in 
securing cyberspace includes promoting 
better security in privately owned infra- 
structures when there is a need to: 

•Convene and facilitate discussions 
between and with nongovernmental 
entities; 



• I dentify instances where the "tragedy 
of the commons" can affect 
homeland, national, and economic 
security; and 

• Share information about cyber 
threats and vulnerabilities so 
nongovernmental entities can adjust 
their risk management strategies and 
plans, as appropriate. 

I n every case, the scope for government 
involvement is limited to those cases 
when the benefits of 
intervention outweigh the direct and 
indirect costs. 

Every American who can contribute to 
securing part of cyberspace is 
encouraged to do so. T he federal 
government promotes the creation of, 
and participation in, public- private 
partnerships to raise awareness, train 
personnel, stimulate market forces, 
improve technology identify and 
remediate vulnerabilities, exchange 
information, and plan recovery opera- 
tions. M any sectors have undertaken the 
important step of developing I SAC s, 
which facilitate communication, the 
development of best practices, and the 
dissemination of security- related infor- 
mation. I n addition, various sectors have 
developed plans to secure their parts of 
cyberspace, which complement this 
Strategy, and the government intends 
for this productive and collaborative 
partnership to continue. 

2. Protect Privacy and Civil Liberties: The 
abuse of cyberspace infringes on our 
privacy and our liberty It is incumbent 
on the federal government to avoid such 
abuse and infringement. Cybersecurity 
and personal privacy need not be 
opposing goals. Cyberspace security 
programs must strengthen, not weaken, 
such protections. Accordingly care must 
be taken to respect privacy interests and 
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Other civil liberties. Consumers and 
operators must have confidence their 
voluntarily shared, nonpublic information 
will be handled accurately, confidentially 
and reliably The federal government will 
lead by example in implementing strong 
privacy policies and practices in the 
agencies. A s part of this process, the 
federal government will consult regularly 
with privacy advocates and experts. 

3. Regulation and M arket Forces: federal 
regulation will not become a primary 
means of securing cyberspace. B road 
regulations mandating how all corpora- 
tions must configure their information 
systems could divert more successful 
efforts by creating a lowest- common- 
denominator approach to cybersecurity 
which evolving technology would quickly 
marginalize. Even worse, such an 
approach could result in less secure and 
more homogeneous security architectures 
than we have now. By law, some federal 
regulatory agencies already include cyber- 
security considerations in their oversight 
activity H owever, the market itself is 
expected to provide the major impetus to 
improve cybersecurity 

4. Aajountabilityand Responsibility: The 
N ational Strategy to Secure Cyberspace is 
focused on producing a more resilient 
and reliable information infrastructure. 
W hen possible, it designates lead 
executive branch departments or agencies 
for federal cyberspace security initiatives. 
0 n N ovember 25, 2002, the President 
signed the H omdand Security Ad of 2002 
establishing the D epartment of 

H omeland Security (D H S). D H S will be 
responsible for many of the initiatives 
outlined in the N ational Strategy to Secure 
Cyberspace T he Strategy also recommends 
actions federal, state and local govern- 
ments, the private sector, and the 
A merican people can take to help secure 
cyberspace. 



5. Ensure Flexibility: Cyber threats change 
rapidly Accordingly the N ational Strategy 
to Secure C yberspace em phasi zes f lexi bi I i ty 
in our ability to respond to cyber attacks 
and manage vulnerability reduction. The 
rapid development of attack tools 
provides potential attackers with a 
strategic advantage to adapt their 
offensive tactics quickly to target 
perceived weaknesses in networked infor- 
mation systems and organizations' 
abilities to respond. Flexible planning 
allows organizations to reassess priorities 
and realign resources as the cyber threat 
evolves. 

6. M ulti-Year Planning: Securing cyberspace 
is an ongoing process, as new 
technologies appear and new vulnerabil- 
ities are identified. T he N ational Strategy 
to SecureCyberspace provides an initial 
framework for achieving cyberspace 
security objectives. D epartments and 
agencies should adopt multi-year cyberse- 
curity plans for sustaining their respective 
roles. Other public- and private- sector 
organizations are also encouraged to 
consider multi-year plans. 

Department of Homeland Security and 
Cyberspace Security 

D H S unites 22 federal entities for the common 
purpose of improving homeland security The 
D epartment also creates a focal point for 
managing cyberspace incidents that could 
impact the federal government or even the 
national information infrastructures. The 
Secretary of H omeland Security will have 
important responsibilities in cyberspace security 
including: 

• Developing a comprehensive national plan 
for securing the key resources and critical 
infrastructures of the U nited States, 
including information technology and 
telecommunications systems (including 
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CRITICAL INFRASTRUCTURE LEAD AGENCIES 



LEAD AGENCY 


SECTORS 


Department of Homeland Security 


• Information and Telecommunications 
•Transportation (aviation, rail, mass transit, waterborne 

commerce, pipelines, and highways (including trucl<ing 
and intelligent transportation systems) 

• Postal and Shipping 

• Emergency Services 
•Continuity of Government 


Department of the Treasury 


• Banl<ing and Finance 


Department of Health and Human Services 


• Public Health (including prevention, surveillance, laboratory 
services, and personal health services) 

• Food (all except for meat and poultry) 


Department of Energy 


• Energy (electric power, oil and gas production, and storage) 


Environmental Protection Agency 


•Water 

• Chemical Industry and Hazardous M aterials 


Department of Agriculture 


•Agriculture 

• Food (meat and poultry) 


Department of Defense 


• Defense Industrial Base 



satellites) and the physical and techno- 
logical assets that support such systems; 

Providing crisis management support in 
response to threats to, or attacks on, 
critical information systems; 

Providing technical assistance to the 
private sector and other governmental 
entities with respect to emergency 
recovery plans that respond to major 
failures of critical information systems; 



Coordinating with other federal agencies 
to provide specific warning information 
and advice about appropriate protective 
measures and countermeasures to state 
and local government agencies and 
authorities, the private sector, other 
entities, and the public; and 

Performing and funding research and 
development along with other agencies 
that will lead to new scientific under- 
standing and technologies in support of 
homeland security 
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Designation of Coordinating Agencies 

A productive partnership between the federal 
government and the private sector depends on 
effective coordination and communication. To 
facilitate and enhance this collaborative 
structure, the government has designated 
a "L ead Agency" for each of the major sectors 
of the economy vulnerable to infrastructure 
attack. I n addition, the 0 ffice of Science and 
Technology Policy (0 ST P) coordinates research 
and development to support critical infra- 
structure protection. T he Office of 
M anagement and B udget (0MB) oversees the 
implementation of governmentwide policies, 
principles, standards, and guidelines for federal 
government computer security programs. T he 
D epartment of State coordinates international 
outreach on cybersecurity T he D i rector of 
Central Intelligence is responsible for assessing 
the foreign threat to U.S. networks and infor- 
mation systems. T he D epartment of J ustice 
(DOJ) and the Federal Bureau of Investigation 
(FBI) lead the national effort to investigate and 
prosecute cybercrime. 



T he government wi 1 1 conti nue to support the 
development of public- private partnerships. 
Working together, sector representatives and 
federal lead agencies assess their respective 
sectors' vulnerabilities to cyber or physical 
attacks and, accordingly recommend plans or 
measures to eliminate significant exposures. 
Both technology and the threat environment 
can change rapidly T herefore, sectors and 
lead agencies should frequently assess the 
reliability vulnerability and threat environments 
of the N ation's infrastructures and employ 
appropriate protective measures and responses 
to safeguard them. 

The government's full authority capabilities, 
and resources must be available to support 
critical infrastructure protection efforts. T hese 
include, as appropriate, crisis management, law 
enforcement, regulation, foreign intelligence, 
and defense preparedness. 
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Priority I: A National Cyberspace 
Security Response System 



I n the 1950s and 1960s, our N ation became 
vulnerable to attacks from aircraft and missiles 
for the f i rst ti me. T he federal government 
responded by creating a national system to: 
monitor our airspace with radar to detect 
unusual activity analyze and warn of possible 
attacks, coordinate our fighter aircraft defenses 
during an attack, and restore our N ation after 
an attack through civil defense programs. 

Today the N ation's critical assets could be 
attacked through cyberspace. T he U nited States 
now requires a different kind of national 
response system in order to detect potentially 
damaging activity in cyberspace, to analyze 
exploits and warn potential victims, to 



coordinate incident responses, and to restore 
essential services that have been damaged. 

T he fact that the vast majority of cyberspace is 
neither owned nor operated by any single group 
— public or private— presents a challenge for 
creating a N ational Cyberspace Security 
Response System. T here is no synoptic or 
holistic view of cyberspace. T herefore, there is 
no panoramic vantage point from which we can 
see attacks coming or spreading. I nformation 
that indicates an attack has occurred (worms, 
viruses, denial- of- service attacks) accumulates 
through many different organizations. H owever, 
there is no organized mechanism for reviewing 
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these indicators and determining their 
implications. 

To mitigate the impact of cyber attacks, infor- 
mation about them must disseminate widely 
and quickly Analytical and incident response 
capabilities that exist in numerous organizations 
could be coordinated to determine how to best 
defend against an attack, mitigate effects, and 
restore service. 

Establishing a proper administrative mechanism 
for the N ational C yberspace Security Response 
System presents another challenge. Unlike the 
U.S. airspace- monitoring program during the 
Cold War, individuals who operate the systems 
that enable and protect cyberspace usually are 
not federal employees. T hus, the N ational 
Cyberspace Security Response System must 
operate from a less formal, collaborative 
network of governmental and nongovernmental 
organizations. 

D H S is responsible for developing the national 
cyberspace security response system, which 
includes: 

• Providing crisis management support in 
response to threats to, or attacks on, 
critical information systems; and 

•Coordinating with other agencies of the 
federal government to provide specific 
warning information, and advice about 
appropriate protective measures and 
countermeasures, to state and local 
government agencies and authorities, 
the private sector, other entities, and 
the public. 

D H S will lead and synchronize efforts for the 
N ational Cyberspace Security Response System 
as part of its overall information sharing and 
crisis coordination mandate; however, the 
system itself will consist of many organizations 
from both government and private sectors. The 
authorizing legislation for the D epartment of 
H omeland Security also created the position of 
a privacy officer to ensure that any mechanisms 



The National Cyberspace Security 
Response System 

T he N ational C yberspace Security 
Response System is a public- private archi- 
tecture, coordinated by the D epartment of 
H omeland Security, for analyzing and 
warning; managing incidents of national 
significance; promoting continuity in 
government systems and private sector 
infrastructures; and increasing information 
sharing across and between organizations to 
improve cyberspace security T he N ational 
Cyberspace Security Response System will 
include governmental entities and 
nongovernmental entities, such as private 
sector information sharing and analysis 
centers (ISACs). 

associated with the N ational Cyberspace 
Security Response System appropriately balance 
its mission with civil liberty and privacy 
concerns. This officer will consult regularly with 
privacy advocates, industry experts, and the 
public at large to ensure broad input and 
consideration of privacy issues so that we 
achieve solutions that protect privacy while 
enhancing security 

Among the system components outlined below 
are existing federal programs and new federal 
initiatives pending budget-review consideration, 
as well as initiatives recommended for our 
partners. 

A. ESTABLISH PUBLIC-PRIVATE 
ARCHITECTURE FOR RESPONDING 
TO NATIONAL-LEVEL CYBER 
INCIDENTS 

Establishing the N ational Cyberspace Security 
Response System will not require an expensive 
or bureaucratic federal program. I n many cases 
the system will augment the capabilities of 
several important federal entities with existing 
cyberspace security responsibilities, which are 
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National Cyberspace Security Response System 




Analysis 



Warning 




Incident \ Response/ 
Managements^ Recovery 



Components/ Capabilities 
DHS Analysis Center 

•Strategic group 
•Tactical group 
•Vulnerability 
assessments 



DHS Incident Operations 
Center 

•Cyber Warning and 
Information Network 
•ISACs 



DHS Incident 
Management Structure 

• Federal coordination 

• Private, state and 
local coordination 




National Response 
Contingency Plans 

• Federal plans 

• Private plan 
coordination 



now part of D H S. T he synergy that results 
from integrating the resources of the N ational 
Communications System, the National 
I nfrastructure Protection C enter's analysis and 
warning functions, the Federal Computer 
Incident Response Center, the Office of E nergy 
Assurance, and the C ritical I nfrastructure 
Assurance Office under the purview of the 
U nder Secretary for I nformation A nalysis and 
Infrastructure Protection will help build the 
necessary foundation for the N ational 
Cyberspace Security Response System. 

T he N ation's private- sector networks are 
increasingly targeted, and they will therefore 
likely be the first organizations to detect attacks 
with potential national significance. Thus, 
I SAC swill play an increasingly important role 
in the N ational Cyberspace Security Response 
System and the overall missions of homeland 
security ISACs possess unique operational 
insight into their industries' core functions and 
will help provide the necessary analysis to 
support national efforts. 

Typically an I SAC is an industry-led 
mechanism for gathering, analyzing, sanitizing, 
and disseminating sector- specific security infor- 
mation and articulating and promulgating best 



practices. ISACs are designed by the various 
sectors to meet their respective needs and 
financed through their memberships. D H S will 
work closely with ISACs as appropriate to 
ensure that they receive timely and actionable 
threat and vulnerability data and to coordinate 
voluntary contingency planning efforts. The 
federal government encourages the private 
sector to continue to establish I SAC sand, 
further, to enhance the analytical capabilities of 
existing ISACs. 

1. Analysis 

a. P rovide for theDevelopment of Tactical and 
Strategic A nalysis of Cyber Attad(sand 
Vulnerabi lity A ssessments 

Analysis is the first step toward gaining 
important insight about a cyber incident, 
including the nature of attack, the information 
it compromised, and the extent of damage it 
caused. A nalysis can also provide an indication 
of the intruder's possible intentions, the 
potential tools he used, and the vulnerabilities 
he exploited. T here are three closely related, 
but discrete, categories of analysis related 
to cyberspace: 
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(i) Tactical analysis examines factors associated 
with incidents under investigation or specific, 
identified vulnerabilities to generate indications 
and warnings. Examples of tactical analysis 
include: examining the delivery mechanism of a 
computer virus to develop and issue immediate 
guidance on ways to prevent or mitigate 
damage; and studying a specific computer 
intrusion, or set of intrusions, to determine the 
perpetrator, his motive, and his method of 
attack. 

(ii) Strategic analysis looks beyond specific 
incidents to consider broader sets of incidents 
or implications that may indicate threats of 
potential national importance. For example, 
strategic analyses may identify long-term trends 
related to threat and vulnerability that could be 
used to provide advanced warnings of increasing 
risks, such as emerging attack methods. 
Strategic analysis also provides policymakers 
with information they can use to anticipate and 
prepare for attacks, thereby diminishing the 
damage they cause. Strategic analysis also 
provides a foundation to identify patterns that 
can support indications and warnings. 

(iii) Vulnerability assessmaits are detailed 
reviews of cyber systems and their physical 
components to identify and study their 
weaknesses. Vulnerability assessments are an 
integral part of the intelligence cycle for cyber- 
space security T hese assessments enable 
planners to predict the consequences of possible 
cyber attacks against specific facilities or sectors 
of the economy or government. T hese projec- 
tions then allow infrastructure owners and 
operators to strengthen their defenses against 
various types of threat. (This will be discussed 
in the Cyberspace Security Threat and 
Vulnerability Redudon Program.) 

D H S will foster the development of strong 
analytic capabilities in each of these areas. It 
should seek partnership and assistance from the 
private sector, including the I SAC s, in devel- 
oping these capabilities. 



2. Warning 

a. E noouragetheDevelopmentof a Private Sector 
Capability to Share a SynopticView of the 
Health of Cyberspace 

T he lack of a synoptic view of the I nternet 
frustrates efforts to develop I nternet threat 
analysis and indication and warning capabilities. 
T he effects of a cyber attack on one sector have 
the potential to cascade across several other 
sectors, thereby producing significant conse- 
quences that could rapidly overwhelm the 
capabilities of many private companies and state 
and local governments. D H S's integration of 
several key federal cybersecurity operations 
centers creates a focal point for the federal 
government to manage cybersecurity 
emergencies in its own systems, and, if 
requested, facilitate crisis management in 
non-federal critical infrastructure systems. 

Separately, industry is encouraged to develop a 
mechanism— whether virtual or physical— that 
could enable the sharing of aggregated 
information on Internet health to improve 
analysis, warning, response, and recovery To the 
extent permitted by law, this voluntary 
coordination of activities among nongovern- 
mental entities could enable different network 
operators and I nternet backbone providers to 
analyze and exchange data about attacks. Such 
coordination could prevent exploits from 
escalating and causing damage or disruption 
of vital systems. 

D H S w i II create a si ngle poi nt- of- con tad for the 
federal government's interaction with industry and 
other partners for 24 x7 fundions, induding 
cyberspace analysis, warning, information sharing, 
major inddent response, and national- la/ el 
recovery efforts Private sector organizations, whidi 
have major contributions for those fundons, are 
encouraged to coordinate activities, as permitted by 
law, in order to providea synopticview of the 
health of cyberspace on a 24 x 7 basis (A/R 1- 1) 
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b Expand theCyber Warning and Information 
N etw ork to Support D H Sis R de i n 
Coordinating Crisis M anagement for 
Cyberspace 

H ours and minutes can make a difference 
between a major disruption and a manageable 
incident. Improving national capabilities for 
warning requires a secure infrastructure to 
provide assured communications between 
critical asset owners and operators and their 
service providers. T he C yber Warning and 
Information Network (CWIN) will provide an 
out-of-band private and secure communications 
network for government and industry, with the 
purpose of sharing cyber alert and warning 
information.! he networl< will include voice 
conferencing and data collaboration. 

W hi le the first phase was implemented between 
the federal government cyber watch centers, 
CWIN participants will ultimately include 
other critical government and industry partners, 
such as I SAC s that deal with cyber threats on a 
daily basis. As other entities expand in this area, 
membership will increase as well. Key to 
CWIN membership is the ability to share 
sensitive cyber threat information in a secure, 
protected, and trusted environment. 

Asoutlined in the2003 budget, the federal 
government will com pi Se the in stall at! on of CWIN 
to key government cybersecurity- related network 
operation centers, to disseminate analysis and 
warning information and perform o^isiscoordi- 
nation.Thefederal government will also explore 
linking thelSACstoCWIN.(A/R 1-2) 

3. N ational I ncident M anagement 

Enhancing analytical capabilities within DHS, 
the private sector I SACs, and expanding 
CWIN will contribute to the improvement of 
national cyber incident management. H owever, 
incident management within the federal 
government will still require coordination with 
organizations other than those being transferred 
to D H S. For example, the D epartments of 



J ustice, D efense, and C ommerce all have roles 
to perform in response to incidents in 
cyberspace. W ithin the W hite H ouse a number 
offices have responsibilities, including the 
Office of Science and Technology Policy which 
is responsible for executing emergency telecom- 
munications authorities, the N ational Security 
Council, which coordinates all matters related 
to national security and international 
cooperation, and the Office of M anagement 
and Budget. 

In addition, national incident management 
capabilities will also integrate state chief infor- 
mation officers as well as international entities, 
as appropriate. (See, Priorities IV and V.) 

4. Response and Recovery 

a. C reate P recesses to C oordinatethe Voluntary 
Development of National Public- Private 
C onti n uity and C onti ngency P lans 

Among the lessons learned from security 
reviews following the events of September 11, 
2001, was that federal agencies had vastly 
inconsistent, and in most cases incomplete, 
CO nti n gen cy capabi I i ti es f or th ei r CO m m u n i ca- 
tionsand other systems. Contingency planning 
is a key element of cybersecurity W ithout 
adequate contingency planning and training, 
agencies may not be able to effectively handle 
disruptions in service and ensure business conti- 
nuity 0 MB, through the Federal I nformation 
Security M anagement Act requirements and 
with assistance from the inspectors general, is 
holding agencies accountable for developing 
continuity plans. 

bi E xerd se C ybersecurity C onti nuity P lans i n 
Federal Cyber Systems 

DHS has the responsibility for providing crisis 
management support in response to threats to, 
or attacks on, critical information systems 
for other government agencies, state and local 
governments and, upon request, the private 
sector. I n order to establish a baseline 
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understanding of federal readiness, D H S will 
explore exercises for the civilian agencies similar 
to the D efense D epartment "E ligible Receiver" 
exercises that test cybersecurity preparedness. 

To test dvilian agendes' security preparedness 
and contingency planning, DH S will useexerdses 
to evaluate the impact of cyber attad<s on 
governmentwide processes. Weaknesses discovered 
will beinduded in agency corrediveadion plans 
and submitted toOM B. DHS alsowill explore 
sudi exerdsesasa way to test the coordination of 
publicand privateinddent management, response 
and recovery capabilities. (A/R 1-3) 

(i) E noourageincreased cyber risk management 
and business continuity. T here are a number of 
measures that nongovernmental entities can 
employ to manage the risk posed by cyberspace 
and plan for business continuity Risk 
management is a discipline that involves risk 
assessment, risk prevention, risk mitigation, risk 
transfer, and risk retention. 

T here is no special technology that can make 
an enterprise completely secure. N o matter how 
much money companies spend on cybersecurity 
they may not be able to prevent disruptions 
caused by organized attackers. Some businesses 
whose products or services directly or indirectly 
impact the economy or the health, welfare or 
safety of the public have begun to use cyber risk 
insurance programs as a means of transferring 
risk and providing for business continuity 

An important way to reduce an organization's 
exposure to cyber- related losses, as well as to 
help protect companies from operational and 
financial impairment, is to ensure that adequate 
contingency plans are developed and tested. 

C orporations are encouraged to regularly review 
and exerdselT continuity plansand to consider 
diversity in IT service providers as a way of 
mitigating risk. (A/R 1-4) 



(ii) Promote public-privatecontingency planning 
for cybersecurity. 1 1 may not be possi ble to 
prevent a wide- range of cyber attacks. For those 
attacks that do occur, the N ation needs an 
integrated public- private plan for responding to 
significant outages or disruptions in cyberspace. 
Some organizations have plans for how they 
will recover their cyber network and capabilities 
in the event of a major outage or catastrophe. 
H owever, there is no mechanism for coordi- 
nating such plans across an entire infrastructure 
or at a national level. 

T he legislation establishing D H S also provides 
a trusted mechanism for private industry to 
develop contingency planning by using the 
voluntary preparedness planning provisions that 
were established in the Defense Production Act 
of 1950, as amended. 

I nfrastrudturesedors are encouraged to establish 
mutual assistance programs for cybersecurity 
emergen d es. DoJ and the Federal Trade 
C ommi ssi on should w ork w i th the sedors to address 
barriers to sudi cooperation, as appropriate. In 
addition, DH S's Information Analysis and 
I nfrastrudure P rotecti on D i rectorate will 
coordinate the development and regular updateof 
voluntary, joint government- industry cybersecurity 
contingency plans, induding a plan for recovering 
Internet functions (A/R 1-5) 

B. INFORMATION SHARING 

1. 1 mprove and E nhance Public-Private 
I nformation Sharing about C yber Attacks, 
T hreats, and Vulnerabilities 

Successfully developing capabilities for analysis, 
indications, and warnings requires a voluntary 
public- private information sharing effort. The 
voluntary sharing of information about such 
incidents or attacks is vital to cybersecurity 
Real or perceived legal obstacles make some 
organizations hesitant to share information 
about cyber incidents with the government or 
with each other. F irst, some fear that shared 
data that is confidential, proprietary or 
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potentially embarrassing could become subject 
to public examination when shared with the 
government. Second, concerns about compet- 
itive advantage may impede information 
sharing between companies within an industry 
Finally in some cases, the mechanisms are 
simply not yet in place to allow efficient sharing 
of Information. 

The legislation establishing DH S provides 
several specific mechanisms Intended to 
improve two-way information sharing. First, the 
legislation encourages industry to share infor- 
mation with D H S by ensuring that such 
voluntarily provided data about threats and 
vulnerabilities will not be disclosed In a manner 
that could damage the submitter. Second, the 
legislation requires that the federal government 
share information and analysis with the private 
sector as appropriate and consistent with the 
need to protect classified and other sensitive 
national security information. 

As required by law, D H S, in consultation with 
appropriate federal agencies, will establish 
uniform procedures for the receipt, care, and 
storage by federal agencies of critical infra- 
structure Information that is voluntarily 
submitted to the government. 

The procedures will address how the 
Department will: 

•Acknowledge the receipt of voluntarily 
submitted critical infrastructure infor- 
mation; 

• M aintain the information as voluntarily 
submitted critical infrastructure Infor- 
mation; 

• E stabllsh protocols for the care and 
storage of such Information; and 

• C reate methods for protecting the confi- 
dentiality of the submitting entity while 

still allowing the information to be used in 
the issuance of notices and warnings for 
protection of the critical infrastructure. 



DH S will raise awareness about the removal of 
impediments to information sharing about cyberse- 
curity and infrastrudure vulnerabilities between 
thepublicand private sed:ors. The Department will 
also establish an infrastrudureprotediion program 
office to manage the information flow, including 
the development of protooolsfor how to rare for 
"voluntarily submitted o^itiral infrastructure infor- 
mation." (A/R 1-6) 

2. E ncourage B reader I nformation Sharing on 
C ybersecurity 

Nongovernmental organizations with signif- 
icant computing resources are encouraged to 
take active roles In Information sharing organi- 
zations. Corporations, colleges, and universities 
can play important roles in detecting and 
reporting cyber attacks, exploits, or vulnerabil- 
ities. In particular, both corporations and 
Institutions of higher learning can gain from 
Increased sharing on cyberspace security Issues. 
Programs such as I SAC s, F B I I nfragard, or the 
U nited States Secret Service electronic crimes 
task forces can also benefit the respective 
participants. Because institutions of higher 
learning have vast computer resources that can 
be used as launch pads for attacks, colleges and 
universities are encouraged to consider estab- 
lishing an on-call point- of- contact to Internet 
service providers (ISPs) and law enforcement 
officials. 

C orporations are encouraged to consider active 
involvement in industrywide programs to share 
information on IT security, induding thepotential 
benefits of joining an appropriate I SAC. Colleges 
and universities areencouraged to consider estab- 
lishing: (1) oneor morelSACsto deal with cyber 
attadcsand vulnerabilities; and, (2) an on-rall 
point- of- contact, to Internet service providers and 
law enforcement offidals in thee/ent that the 
sdiool 's IT systems are discovered to be laundii ng 
cyber attad<s (A/R 1-7) 
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Priority II: A National Cyberspace Security 
Threat and Vulnerability Reduction 
Program 



M alicious actors in cyberspace can take many 
forms including individuals, criminal cartels, 
terrorists, or nation states. W hile attackers take 
many forms, they all seek to exploit vulnerabil- 
ities created by the design or implementation of 
software, hardware, networks, and protocols to 
achieve a wide range of political or economic 
effects. A s our reliance on cyberspace increases 
so too does the scope of damage that malicious 
actors can impose. 

Waiting to act until we learn that a malicious 
actor is about to exploit a particular vulnera- 



bility is risky Such warning information may 
not always be available. Even when warning 
data is available, remediation of some vulnera- 
bilities may take days, weeks, or even years. Asa 
result, vulnerabilities must be identified and 
corrected in critical networks before threats 
surface. T he most dangerous vulnerabilities 
must be prioritized and reduced in a systematic 
fashion. 

A s technology evolves and new systems are 
introduced, new vulnerabilities emerge. 
Our strategy cannot be to eliminate all 



THE NATIONAL STRATEGY TO SECURE CYBERSPACE 27 



PRIORITY II 



vulnerabilities, or to deter all threats. Rather, we 
will pursue a three- part effort to: 

(1) Reduce threats and deter malicious 
actors through effective programs to 
identify and punish them; 

(2) Identify and remediate those existing 
vulnerabilities that could create the most 
damage to critical systems, if exploited; 
and 

(3) Develop new systems with less vulnera- 
bility and assess emerging technologies 
for vulnerabilities. 

T he federal government cannot accomplish 
these goals acting alone. It can only do so in 
partnership with state and local governments 
and the private sector. M any federal agencies 
must play a part in this effort, which will be led 
and coordinated by D H S as part of its overall 
vulnerability reduction mandate. 

T he components of this program are discussed 
in this section. They include federal programs 
(both existing programs and initiatives that will 
be considered as part of the budget decision 
making process) and activities that the federal 
government recommends to its partners. M any 
activities that can betaken by individuals, 
companies, and other private organizations to 
reduce vulnerabilities will be stimulated and 
accelerated through awareness and are discussed 
as part of the awareness initiative described in 
Priority III. 

A. REDUCE THREAT AND DETER 
MALICIOUS ACTORS 

1. E nhance L aw E nforcement^ C apabilitiesfor 
Preventing and Prosecuting 

The National Strategy to Secure Cyberspace is 
especially concerned with those threats that 
could cause significant damage to our economy 
or security through actions taken using or 
against our cyber infrastructure. By identifying 
threats that would cause us significant harm, we 



can reduce the threats to homeland security, 
national security, and the economy Law 
enforcement and the national security 
community play a critical role in preventing 
attacks in cyberspace. Law enforcement plays 
the central role in attributing an attack through 
the exercise of criminal justice authorities. 

M any cyber- based attacks are cri mes. Asa 
result the J ustice D epartment's C omputer 
C rime and I ntellectual Property Section, the 
FBI's Cyber Division, and the U.S. Secret 
Service all play a central role in apprehending 
and swiftly bringing to justice the responsible 
individuals. W hen incidents do occur, a rapid 
response can stem the tide of an ongoing attack 
and lessen the harm that is ultimately caused. 
T he N ation currently has laws and mechanisms 
to ensure quick responses to large incidents. 
Ideally, an investigation, arrest, and prosecution 
of the perpetrators, or a diplomatic or military 
response in the case of a state- sponsored action, 
will follow such an incident. 

T hreat reduction, however, involves more than 
prosecution. Analyzing and disseminating 
practical information gathered by law 
enforcement can help promote national infra- 
structure security For example, through various 
initiatives such as the FBI Infragard program 
and the U.S. Secret Service electronic crimes 
task forces, law enforcement can share lessons 
learned from attacks with private sector organi- 
zations. T he information gleaned from 
investigations can provide the federal 
government and private industry a framework 
for examining the robustness of their cyberse- 
curity skill sets, and assist in prioritizing their 
limited resources to manage the unique risk of 
their enterprise. 

Justice and the FBI will need to work closely 
with D H S to ensure that the information 
gleaned from investigations is appropriately 
analyzed and shared with I SAC sand other 
nongovernmental entities to promote improved 
risk management in critical infrastructure 
sectors. 
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The N ation will seek to prevent, deter, and 
significantly reduce cyber attacks by ensuring 
the identification of actual or attempted perpe- 
trators followed by an appropriate government 
response. I n the case of cybercrime this would 
include swift apprehension, and appropriately 
severe punishment. 

DOJ and other appropriateagendeswill develop 
and 1 mplement efforts to reduce cyber attad<s and 
cyber threats through the following means: (1) 
identifying ways to improve information sharing 
and investigative coordination within thefederal, 
state, and local law enforcement community 
working on critical infrastrudureand cyberspace 
security matters, and with other agendesand the 
private sector; (2) exploring meansto provide suffi- 
dent investigative and forensic resources and 
training to fadlitateexpeditious investigation and 
resolution of critical infrastructure ind dents; and, 
(3) developing better data about victims of cyber- 
crimeand intrusionsin order to understand the 
scope of the problem and be able to trad< dianges 
overtime (A/R 2-1) 

2. C reate a Process for N ational Vulnerability 
Assessments to Better U nderstand the 
Potential C onsequencesof T hreatsand 
Vulnerabilities 

a. Assessthe Potential Impact of Strategic Cyber 
Attads 

To better understand how to further detect and 
prevent attacks, the N ation must know the 
threat it is facing. To date, no comprehensive 
assessment of the impact of a strategic cyber 
attack against the U nited States has been 
conducted. Because nation states and terrorists 
are developing capabilities for cyber-based 
attacks, it is important to understand the 
potential impact of such an attack and possible 
ways to mitigate the effects. D H S, in coordi- 
nation with appropriate agendesand the private 
sed:or, will lead in the development and conduct of 
a national threat assessment induding red teaming, 
blue teaming, and other methodsto identify the 



impact of possibleattad<son a variety of targets 
(A/R 2-2) 

B. IDENTIFY AND REMEDIATE 
EXISTING VULNERABILITIES 

Reducing vulnerabilities can be resource 
intensive. Accordingly our national efforts to 
identify and remediate vulnerabilities must be 
focused to reduce vulnerabilities in a cost 
effective and systematic manner. T he U nited 
States must reduce vulnerabilities in four major 
components of cyberspace, including: (1) the 
mechanisms of the I nternet; (2) digital control 



How the Internetworks 

D ata sent from one computer to another 
across the I nternet is broken into small 
packets of information containing 
addressing information as well as a portion 
of the total message. T he packets travel 
across the I nternet separately and are 
reassembled at the receiving computer. 
T here are two pri mary protocols that enable 
these packets of data to traverse the 
complex networks and arrive in an under- 
standable format. T hese protocols are: (1) 
theTransmission Control Protocol (TCP) 
which decomposes data into packets and 
ensures that they are reassembled properly 
at the destination; and (2) the I nternet 
Protocol (IP), which guides or routes the 
packets of data though the I nternet. 
Together they are referred to asT C P/l P. 

I P is essential to almost all I nternet 
activities including sending data such as 
e-mail. Data is transmitted based on IP 
addresses, which are a series of numbers. 
The Domain Name System (DNS) was 
developed to simplify the management of 
I P addresses. T he D N S maps I P numbers 
to recognizable sets of letters, words or 
numbers. T he D N S does this by estab- 
lishing domains and a structured 
hierarchical addressing scheme. 
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systems/ supervisory control and data acquisition 
systems; (3) software and hardware vulnerability 
remediation; and, (4) physical infrastructure and 
interdependency T hese four areas have broad 
implications for the majority of the N ation's 
critical infrastructures. Initiating efforts to 
eliminate vulnerabilities in these important 
areas will reduce the vulnerability of critical 
infrastructure services to attack or compromise. 

1. Secure the M echanisms of the I nternet 

The development and implementation of the 
mechanisms for securing the Internet are 
responsibilities shared by its owners, operators, 
and users. Private industry is leading the effort 
to ensure that the core functions of the I nternet 
develop in a secure manner. As appropriate, the 
federal government will continue to support 
these efforts. T he goal is the development of 
secure and robust mechanisms that will enable 
the I nternet to support the N ation's needs now 
and in thefuture. This will include securing the 
protocols on which the I nternet is based, 
ensuring the security of the routers that direct 
the flow of data, and implementing effective 
management practices. 

a. I mprovethe Security and Resilience of K ey 
I nternet Protocols 

E ssential to the security of the I nternet infra- 
structure is ensuring the reliability and secure 
use of three key protocols: the I nternet Protocol 
(IP), the Domain Name System (DNS), and 
the Border Gateway Protocol (BGP). 

(i) Internet Protocol. The Internet is currently 
based on Internet Protocol version 4 (IPv4). 
Some organizations and countries are moving 
to an updated version of the protocol, version 6 
(I Pv6). I Pv6 offers several advantages over 
IPv4. In addition to offeri ng a vast amount of 
addresses, it provides for improved security 
features, including attribution and native I P 
security (IPSE C), as well as enabling new 
applications and capabilities. Some countries are 
moving aggressively to adopt I Pv6. Japan has 



committed to a fully I Pv6 based infrastructure 
by 2005. T he E uropean Union has initiated 
steps to move to IPv6. China is also considering 
early adoption of the protocol. 

T he U nited States must understand the merits 
of, and obstacles to, moving to I Pv6 and, based 
on that understanding, identify a process for 
moving to an I Pv6 based infrastructure. T he 
federal government can lead in developing this 
understanding by employing I Pv6 on some of 
its own networks and by coordinating its activ- 
ities with those in the private sector. T he 
Department of Commerce will form a task force to 
examinethe issues related to IPv6, induding the 
appropriate roleof government, international 
interoperability, security in transition, and costs 
and benefits The task force will solidt input from 
potentially impacted industry segments (A/R 2-3). 

(ii) Secure the Domain Name System. DNS 

serves as the central database that helps route 
information throughout the I nternet. T he 
ability to route information can be disrupted 
when the databases cannot be accessed or 
updated or when they have been corrupted. 
Attackers can disrupt the D N S by flooding the 
system with information or requests or by 
gaining access to the system and corrupting or 
destroying the information that it contains. The 
0 ctober 21, 2002 attacks on the core DNS root 
servers revealed a vulnerability of the I nternet 
by degrading or disrupting some of the 13 root 
servers necessary for the D N S to function. T he 
occurrence of this attack punctuates the urgent 
need for expeditious action to make such 
attacks more difficult and less effective. 

(ill) Border Gateway Protocol. Of the many 
routing protocols in use within the I nternet, the 
Border G ateway Protocol (BG P) is at greatest 
risk of being the target of attacks designed to 
disrupt or degrade service on a large scale. BGP 
is used to interconnect the thousands of 
networks that make up the I nternet. It allows 
routing information to be exchanged between 
networks that may have separate administrators, 
administrative policies, or protocols. 
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Propagation of false routing information in the 
I nternet can deny service to small or large 
portions of the I nternet. For example, false 
routes can create "black holes" that absorb 
traffic destined for a particular block of address 
space. T hey can also lead to cascade failures 
that have occurred in other types of large 
routing/switching systems in the past, where 
the failure of one switch or mechanism results 
in the failure of those connected to it, resulting 
in additional waves of failures expanding 
outward from the initial fault. 

M ore secure forms of BG P and D N 5 will 
benefit all owners, operators and users of the 
I nternet. To address this issue, the I nternet 
Engineering Task Force, a voluntary private 
body consisting of users, owners, and operators 
of the I nternet, has established working groups 
for securi ng B G P and D N 5. T hese groups have 
made progress, but have been limited by 
technical obstacles and the need for coordi- 
nation. 

T he security and continued functioning of the 
Internet will be greatly influenced by the 
successor failure of implementing more secure 
and more robust BGP and DNS. The Nation 
has a vital interest in ensuring that this work 
proceeds. T he government should play a role 
when private efforts break down due to a need 
for coordination or a lack of proper incentives. 

tx P romote I mproved I nternet R outi ng 

Routers on the I nternet share a number of 
design characteristics that make them relatively 
easy to disable, especially through denial-of- 
service (D oS) attacks that overwhelm a router's 
processing capability I nternet routing can be 
substantially improved by promoting increased 
use of address verification and "out-of-band" 
management. 

(i) Address Verification. Today there are few 
effective solutions available, even commercially 
to mitigate the effect of D oS attacks, as the 
scale and lack of address verification and 



accountability makes filtering and contacting 
the sources of an attack impossible. 0 ne of the 
largest weaknesses in our current I nternet infra- 
structure is the lack of source address 
verification. Establishing an Internet infra- 
structure that provides forged source address 
filtering is a critical step towards defeating these 
types of attacks. 

(ii) Out-of-Band |V| anagement. DoS attacks are 
difficult to mitigate because they prevent 
control data from reaching the router. Separate 
control networks, commonly called "out-of- 
band" management links, are one technique 
that can be used to counter D oS attacks. 

D H S will examine the need for increased 
research to improve router security through new 
technology or approaches to routing infor- 
mation. I n particular, D H S will assess progress 
on out-of-band management and address 
filtering and recommend steps that can be 
taken by government or the private sector to 
improve their effectiveness and use. I n addition, 
D H S will work with the private sector to 
understand the most efficient path and 
obstacles to increasing router security using 
current techniques and technology 

c I mprove 1^ anagement 

M uch improvement can be made in the security 
of the I nternet infrastructure if best practices 
for managing the I nternet, including the data 
that flows through it and the equipment that 
supports it, are widely employed. D H S will 
work with organizations that own and operate 
the I nternet to develop and promote the 
adoption of best practices. I n particular, D H S 
will work with I nternet service providers to help 
develop a widely accepted "code of conduct" for 
network management. This work will include a 
review of existing documented best practices 
such as those published by Network Reliability 
and Interoperability Council (N RIG) of the 
Federal Communications Commission (FCC). 
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DHS, in coordination with theCommeroe 
Department and appropriate agencies, will 
coordinate public- private partnerships to encourage: 
(1) the adoption of improved security protocols; (2) 
theda/dopment of more secure router tedinology; 
and, (3) the adoption by I SP s of a "code of good 
conduct," including cybersecurity practices and 
security related cooperation. D H S will support these 
efforts as required for their success, subject toother 
budget considerations. (A/R 2-4) 

2. Foster Trusted D igital C ontrol Systems/ 
Supervisory C ontrol and D ata Acquisition 
Systems 

M any industries in A merica have radically 
transformed the way they control and monitor 
equipment over the last 20 years by employing 
digital control systems (DCS) and supervisory 
control and data acquisition systems (5CADA). 
D C S/SCA D A are computer-based systems that 
are used by many infrastructures and industries 
to remotely control sensitive processes and 
physical functions that once had to be 
controlled manually. DCS and SCADA are 
present in almost every sector of the economy 
including water, transportation, chemicals, 
energy, and manufacturing, among others. 
Increasingly DCS/SCAD A systems use the 
I nternet to transmit data rather than the closed 
networks used in the past. 

Securing DC S/SCA DA is a national priority. 
D isruption of these systems can have significant 
consequences for public health and safety. 
H owever, securing these systems is complicated 
by various factors. First, adding security requires 
investment in systems and in research and 
development that companies cannot afford or 
justify on their own. Such research may require 
the involvement of multiple infrastructure 
operators or industries. Second, current techno- 
logical limitations could impede the 
implementation of security measures. For 
example, DC S/SCA DA systems are typically 
small and self-contained units with limited 
power supplies. Security features are not easily 
adapted to the space or power requirements. I n 



addition, these systems operate in real time and 
security measures could reduce performance or 
impact the synchronization of larger processes. 

Both the private and public sectors have a role 
in securing SCADA systems. D H S, in coordi- 
nation with the D epartment of E nergy and 
other concerned agencies, will work in 
partnership with private industry to ensure that 
there is broad awareness among industry 
vendors and users, both regulated and unregu- 
lated, of the vulnerabilities in DC S/SCA DA 
systems, and the consequences of exploitation of 
those vulnerabilities. For operators of 
D C S/SC A D A systems, these efforts should 
include developing and deploying training and 
certification of DC S/SCA DA-oriented 
software and hardware security I n addition, 
D H S will work with the private sector to 
promote voluntary standards efforts, and 
security policy creation. 

T he development of adequate test bed environ- 
ments and the development of technology in 
the areas of extremely low latency link 
encryptors/authenticators, key management, 
and network status/state- of- health monitoring 
will aid in the effort to secure DC S/SC AD A. 
D H S, in coordination with DOE and other 
concerned agendesand in partnership with 
industry, will da/dop best pradiossand new 
tedinology to increase security of DC S/SC AD A, to 
determi ne the most critical D C S/SC AD A- rdated 
sites, and to da/dop a prioritized plan for short- 
term cybersecurity improvements in those sites. 
(A/R 2-5) 

3. Reduce and Remediate Software 
Vulnerabilities 

A third critical area of national exposure is the 
many flaws that exist in critical infrastructure 
due to software vulnerabilities. New vulnerabil- 
ities emerge daily as use of software reveals 
flaws that malicious actors can exploit. 
Currently, approximately 3,500 vulnerabilities 
are reported annually. Corrections are usually 
completed by the manufacturer in the form of a 
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patch and made available for distribution to fix 
the flaws. 

M any known flaws, for which solutions are 
available, remain uncorrected for long periods of 
time. For example, the top ten known vulnera- 
bilities account for the majority of reported 
incidents of cyber attacks. T his happens for 
multiple reasons. M any system administrators 
may lack adequate training or may not have 
time to examine every new patch to determine 
whether it applies to their system. T he software 
to be patched may affect a complex set of inter- 
connected systems that take a long time to test 
before a patch can be installed with confidence. 
If the systems are critical, it could be difficult to 
shut them down to install the patch. 

Unpatched software in critical infrastructures 
makes those infrastructures vulnerable to 
penetration and exploitation. Software flaws are 
exploited to propagate "worms" that can result 
in denial of service, disruption, or other serious 
damage. Such flaws can be used to gain access 
to and control over physical infrastructure. 
I mproving the speed, coverage, and effec- 
tiveness of remediation of these vulnerabilities 
is important for both the public and private 
sector. 

Several steps will help. First, the Nation needs a 
better- defined approach to the disclosure of 
vulnerabilities. The issue is complex because 
exposing vulnerabilities both helps speed the 
development of solutions and also creates 
opportunities for would be attackers. I n 
addition, the clearinghouse for such disclosures 
must be a neutral body between vendors, 
security companies, and the public at large. 
Today the government partially funds such 
organizations. H owever, the appropriate level 
and form for this funding need to be reviewed. 
DHS will work with the National I nfrastrudure 
Advisory Coundl and private seder organizations 
to develop an optimal approadi and medianism for 
vulnerability disdosure (A/R 2-6) 



A second step that will speed the distribution of 
patches in software systems is the creation of 
common test- beds. Such test- beds running 
applications that are common among 
government agencies or companies can speed 
patch implementation by testing onetime, for 
many users, the impact that a patch will have 
on a variety of applications. GSA will work with 
D H S on an improved approadi to implementing a 
patdi dearinghousefor the federal government. 
DHS will also share lessons learned with the 
private sedor and encourage the development of a 
voluntary, industry- led, national effort to develop 
a similar dearinghousefor other sedorsinduding 
large enterprises. (A/R 2-7) 

Finally best practices in vulnerability remedi- 
ation should be established and shared in areas 
such as training requirements for system 
administrators, the use of automated tools, and 
management processes for patch implemen- 
tation. D H S will work with public and private 
entities on the development and dissemination 
of such practices. M ore secure initial configura- 
tions for shipped cyber products would facilitate 
more secure use by making the default set-up 
secure rather than insecure. T he software 
industry is encouraged to consider promoting more 
secure "out-of-the- box" installation and implemen- 
tation of their produds, induding increasing: (1) 
user awareness of the security featuresin produds; 
(2) ease- of- use for security fundions; and, (3) 
where feasible promotion of industry guidelines and 
best pradicesthat support sudi efforts (A/R 2-8) 

4. U nderstand I nf rastructure I nterdependency 
and I mprove Physical Security of C yber 
Systems and Telecommunications 

Reducing the vulnerability of the cyber infra- 
structure includes mitigating the potentially 
devastating attacks on cyberspace that can occur 
when key physical linkages are destroyed. T he 
impact of such attacks can be amplified by 
cascading impacts through a variety of 
dependant infrastructures affecting both the 
economy and the health and welfare of citizens: 
a train derailed in a Baltimore tunnel and the 
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Internet slowed in Chicago; acampfire in New 
M exico damaged a gas pipeline and IT-related 
production halted in Silicon Valley; a satellite 
spun out of control hundreds of miles above the 
Earth and affected bank customers could not 
use their AT M s. 

Cyberspace has physical manifestations: the 
bui Idi ngs and conduits that support telecom- 
munications and I nternet networks. T hese 
physical elements have been designed and built 
to create redundancy and avoid single points of 
failure. N onetheless, the carriers and service 
providers are encouraged to independently and 
collectively continue to analyze their networks 
to strengthen reliability and intentional redun- 
dancy The FCC, through its Network 
Reliability and I nteroperability Council, and the 
National Security Telecommunications 
Advisory Committee, can contribute to such 
efforts and should identify any governmental 
impediments to strengthening the national 
networks. 

D H S will work actively to reduce interdepen- 
dencies and physical vulnerability D H S will 
establish and lead a public- private partnership to 
identify cross- sectoral interdependendes, both cyber 
and physical. The partnership will da/dop plansto 
reduce related vulnerabilities in conjundion with 
programs proposed in the National Strategy for 
H omeland Security. T he N ational I nfrastrudure 
Simulation and Analysis Center in DH S will 
support these efforts by devdopi ng modds to 
identify the impad of cyber and physical interde- 
pendendes. (A/R 2-9) 

DHS also will support, when requested and as 
appropriate, voluntary efforts by owners and 
operators of information system networksand 
network data centers to da/dop remediation and 
conti ngency plans to reduce the consequences of 
large sale physical damage to fad lities supporting 
sudi networks and to da/dop appropriate proce- 
dures for limiting acDSSStocritial fadlities. 
(A/R 2-10) 



C. DEVELOP SYSTEMS WITH FEWER 
VULNERABILITIES AND ASSESS 
EMERGING TECHNOLOGIES FOR 
VULNERABILITIES 

As the Nation takes steps to improve the 
security of current systems, it must also ensure 
that future cyber systems and infrastructure are 
built to be secure. This will become increasingly 
important as more and more of our daily 
economic and physical lives come to depend on 
cyber infrastructure. Future security requires 
research in cyberspace security topics and a 
commitment to the development of more secure 
products. 

1. Prioritize the Federal Research and 
D evelopment A genda 

Federal investment in research for the next 
generation of technologies to maintain and 
secure cyberspace must keep pace with an 
increasing number of vulnerabilities. Flexibility 
and nimbleness are important in ensuring that 
the research and development process accom- 
modates the dynamic technology environment 
in the years ahead. 

T he N ation will prioritize and provide resources 
as necessary to advance the research to secure 
cyberspace. A new generation of enabling 
technologies will serve to "modernize" the 
I nternet for rapidly growing traffic volumes, 
expanded e- commerce, and the advanced appli- 
cations that will be possible only when 
next- generation networks are widely available. 
Asa result, national research efforts must be 
prioritized to support the transition of cyber- 
space into a secure, high-speed knowledge and 
communications infrastructure for this century 
V ital research is required for this effort. T he 
N ation must prioritize its cyberspace security 
research efforts across all sectors and funding 
sources. 

To meet these needs, the D iredor of 0 ST P will 
coordinate the devdopment, and update on an 
annual basis, a federal government researdi and 
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development agenda that indudes near- term (1-3 
years), mid- term (3-5 years), and later (5 years out 
and longer) IT security researdi for F iscal Year 
2004 and beyond. Existing priorities indude, 
among others, intrusion detection, Internet infra- 
structure security (induding protocols sudi asBGP 
and DNS), application security, D oS, communia- 
tions security (induding SCAD A system encryption 
and authentiation), high- assurance systems, and 
secure system composition. (A/R 2-11) 

To optimize researdi efforts relative to those of the 
private sector, DH S will ensurethat adequate 
medianisms exist for coordination of researdi and 
development among aademia, industry, and 
government, and will develop new medianisms 
whereneeded. (A/R 2-12) 

An important goal of cybersecurity research will 
be the development of highly secure, trust- 
worthy, and resilient computing systems. I n the 
future, working with a computer, the I nternet, 
or any other cyber system may become as 
dependable as turning on the lights or the 
water. 

T he N ation must seek to ensure that future 
components of the cyber infrastructure are built 
to be inherently secure and dependable for their 
users. D evelopment of highly secure and 
reliable systems will be pursued, subject to 
budgeting constraints, through the national 
cyberspace security research agenda. 

The private sector is encouraged to consider 
induding in near-term researdi and development 
priorities, programs for highly secure and trust- 
worthy operating systems. If sudi systems are 
developed and suocessfully evaluated, thefederal 
government will, subject to budget considerations, 
accelerate procurement of sudi systems. (A/R 2- 13) 

In addition, DH S will fadlitatea national public- 
private effort to promulgate best practioes and 
methodologies that promote integrity, security, and 
reliability in software code development, induding 



processes and procedures that di mi n i sh the possi bi I- 
itiesof erroneous code, malidousoode, or trap doors 
that could be i ntroduced duri ng development. 
(A/R 2-14) 

2. A ssess and Secure E merging Systems 

As new technologies are developed they 
introduce the potential for new security vulner- 
abilities. Some new technologies introduce 
security weaknesses that are only corrected over 
time, with great difficulty, or sometimes not at 
all. A person driving in a car around a city, for 
example, can access many wireless local area 
networks without the knowledge of thei r 
owners unless strong security measures are 
added to those systems. 

As telephones and personal digital assistants, 
and many other mobile devices, incorporate 
more sophisticated operating systems and 
connectivity they may require security features 
to prevent their exploitation for distributed 
attacks on mobile networks and even the 
I nternet. 

E merging areas of research also can produce 
unforeseen consequences for security. T he 
emergence of optical computing and intelligent 
agents, as well as in the longer term, develop- 
ments in areas such as nanotechnology and 
quantum computing, among others, will likely 
reshape cyberspace and its security T he N ation 
must be at the leading edge in understanding 
these technologies and their implications for 
security. 

DH S, in coordination with OSTP and other 
agendes, as appropriate, will fadlitatecommuni- 
ation between the public and private researdi and 
the security communities, to ensure that emerging 
tedinologies are periodically reviewed by the appro- 
priate body within theNational Sdenceand 
Tedinology Coundl, in the context of possible 
homeland and cyberspace security implications, and 
relevance to thefederal researdi agenda. (A/R 2-15) 
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Priority III: A National Cyberspace 
Security Awareness and Training Program 



Everyone who relies on part of cyberspace is 
encouraged to help secure the part of cyber- 
space that they can influence or control. 

To do that, users need to know the simple 
things that they can do to help to prevent 
intrusions, cyber attacks, or other security 
breaches. All users of cyberspace have some 
responsibility not just for their own security 
but also for the overall security and health of 
cyberspace. 

In addition to the vulnerabilities in existing 
information technology systems, there are at 
least two other major barriers to users and 
managers acting to improve cybersecurity: 
(1) a lack of familiarity knowledge, and 



understanding of the issues; and (2) an inability 
to find sufficient numbers of adequately trained 
and/or appropriately certified personnel to 
create and manage secure systems. 

A mong the components of this priority are the 
following: 

• Promote a comprehensive national 
awareness program to empower all 
A mericans— businesses, the general 
workforce, and the general population— 
to secure their own parts of cyberspace; 

• Foster adequate training and education 
programs to support the N ation's cyberse- 
curity needs; 
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• I ncrease the efficiency of existing federal 
cybersecurity training programs; and 

• Promote private sector support for well- 
coordinated, widely recognized 
professional cybersecurity certification. 

Key to any successful national effort to enhance 
cybersecurity must be a national effort to raise 
awareness (of users and managers at all levels) 
and maintain an adequate pool of well trained 
and certified IT security specialists. The federal 
government cannot by itself create or manage 
all aspects of such an effort. It can only do so in 
partnership with industry other governments, 
and nongovernmental actors. 

M any federal agencies must play a part in this 
effort, which will be led and coordinated by 
DH S. The components of this program will 
include the following federal programs (both 
existing programs and initiatives which will be 
considered as part of the budget decision 
making process) and activities, which we 
recommend to our partners. 

A. AWARENESS 

1. Promote a C omprehensive N ational 
Awareness Program to E mpower All 
A mericans- B usinesses, the G eneral 
Workforce, and the G eneral Population— 
to Secure their 0 wn Parts of C yberspace 

In many cases solutions to cybersecurity issues 
exist, but the people who need them do not 
know they exist or do not know how or where 
to find them. I n other cases people may not 
even be aware of the need to make a network 
element secure. A small business, for example, 
may not realize that the configuration of its web 
server uses a default password that allows 
anyone to gain control of the system. Education 
and outreach play an important role in making 
users and operators of cyberspace sensitive to 
security needs. T hese activities are an important 
part of the solution for almost all of the issues 
discussed in the National Strategy to Secure 



Cyberspace, from securing digital control systems 
in industry to securing broadband I nternet 
access at home. 

D H S, working in CDordination with appropriate 
federal, state and loal entities and private sed:or 
organizations, will fadlitatea comprehensive 
awareness ampaign induding audience- spedfic 
awareness materials, expansion of the 
StaySafeOnlineampaign, and development of 
awards programs for those in industry making 
significant contributions to security. (A/R 3-1) 

I ncreasing awareness and education prepares 
private sectors, organizations, and individuals to 
secure their parts of cyberspace. Actions taken 
by one entity on a network can immediately 
and substantially affect one or many others. 
Because the insecurity of one participant in 
cyberspace can have a major impact on the 
others, the actions they take to secure thei r own 
networks contribute to the security of the 
whole. For example, a few subverted servers 
recently enabled an attack on some of the 
I nternet D omain N ame System root servers 
and threatened to disrupt service for many 
users. T h rough improved awareness the N ation 
can stimulate actions to secure cyberspace by 
creating an understanding at all audience levels 
of both cybersecurity issues and solutions. D H S 
will lead an effort to increase cybersecurity 
awareness for key audiences: 

a. Home Users and Small Business 

H ome users and small business are not part of 
the critical infrastructures. H owever, their 
systems are being increasingly subverted by 
malicious actors to attack critical systems. 
T herefore, increasing the awareness about 
cybersecurity among these users contributes to 
greater infrastructure security H ome users and 
small business owners of cyber systems often 
start with the greatest knowledge gap about 
cybersecurity 

D H S, in coordination with other agencies and 
private organizations, will work to educate the 
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general public of home users, students, children, 
and small businesses on basic cyberspace safety 
and security issues. A s part of these efforts, 
D H S will partner with the D epartment of 
Education and state and local governments to 
elevate the exposure of cybersecurity issues in 
primary and secondary schools. I n addition, the 
Federal Trade Commission will continue to 
provide information on cybersecurity for 
consumers and small businesses through 
http://www.ftc.gov/infosecurity. 

DH S, in coordination with the D epartment of 
E duration, will encourage and support, where 
appropriate subject to budget considerations, state 
local, and private organizations in the development 
of programsand guidelines for primary and 
seoondarysdiool students in cybersecurity (A/R 3-2) 

I n recent years, with the spread of "always on" 
connections for systems, such as cable modems, 
digital subscriber lines (D SL ), and wireless and 
satellite systems, the security of home user and 
small business systems has become more 
important not only to the users themselves, but 
to others to which they are connected through 
the I nternet. For example, these connections 
generally mean that larger amounts of data can 
be sent and done so in a continuous stream. 
T hese two factors can be exploited and used to 
attack other systems, possibly even resulting in 
nationally significant damage. T he I nternet 
service providers, antivirus software companies, 
and operating system/application software 
developers that provide services or products to 
home users and small busi nesses can help raise 
their awareness of cybersecurity issues. 

Home users and small businesses can help the 
Nation secure cyberspace by securing their own 
connections to it. Installing firewall softwareand 
updating it regularly maintaining current 
antivirus software, and regularly updating 
operating systems and major applications with 
security enhancements are adions that individuals 
and enterprise operators can take to help seajre 
cyberspace To fad I itatesudi adions, DH S will 
aeatea public-private task force of private 



companies, organizations, and consumer users 
groups to i dentify w ays that prov i ders of i nfor- 
mation tedinology products and services, and other 
organizations ran make it easier for home users and 
small businesses to secure their systems (A/R 3-3) 

b. Large Enterprises 

T he security of large enterprises is important 
not only to individual businesses, but to the 
N ation as a whole. L arge enterprises own major 
cyber networks and computing systems that, if 
not secure, can be exploited for attacks on other 
businesses in an increasingly interconnected 
economy and could, in the case of a massive 
attack, have major economic consequences. T he 
cybersecurity of large enterprises can be 
improved through strong management to 
ensure that best practices and efficient 
technology are being employed, especially in the 
areas of configuration management, authenti- 
cation, training, incident response, and network 
management. DH S will continue the work of 
sensitizing the owners of these networks to 
their vulnerabilities and what can be done to 
mitigate them. DH S, working with other 
government agencies and private sector organi- 
zations, will build upon and expand existing 
efforts to direct the attention of key corporate 
decision makers (e.g., C E 0 s and members of 
boards of directors) to the business case for 
securing their companies' information systems. 

D ecision makers can take a variety of steps to 
improve the security of their enterprise 
networks and to ensure that their networks 
cannot be maliciously exploited. L arge enter- 
prises are encouraged to evaluate the security of 
their networks that impad the security of the 
Nation's o^itical infrastructures. Sudi evaluations 
might indude: (1) conducing audits to ensure effec- 
tivenessand use of best pradces; (2) developing 
continuity plans whidi consider offsite staff and 
equipment; and, (3) partidpating in industrywide 
information sharing and best practice dissemi- 
nation. (A/R 3-4) 
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(i) I nsider T hreats M any cyber attacks on enter- 
prise systems are perpetrated by trusted 
"insiders." I nsiders are people trusted with legit- 
imate access rights to enterprise information 
systems and networks. Such trusted individuals 
can pose a significant threat to the enterprise 
and beyond. T he insider threat poses a key risk 
because it provides a potential avenue for 
individuals who seek to harm the N ation to 
gain access to systems that could support their 
malicious objectives. Effectively mitigating the 
insider threat requires policies, practices, and 
continued training. Three common policy areas 
which can reduce insider threat include: (1) 
access controls, (2) segregation of duties, and, 
(3) effective policy enforcement. 

• Poor access controls enable an individual 
or group to inappropriately modify 
destroy or disclose sensitive data or 
computer programs for purposes such as 
personal gain or sabotage. 

•Segregation of duties is important in 
assuring the integrity of an enterprise's 
information system. N o one person should 
have complete control of any system. 

• Effective enforcement of an enterprise 
security policy can be challenging and 
requires regular auditing. N ew automated 
software is beginning to emerge which can 
facilitate efficient enforcement of enter- 
prise security T hese programs allow the 
input of policy in human terms, trans- 
lation to machine code, and then 
monitoring at the packet level of all data 
transactions within, and outbound from, 
the network. Such software can detect and 
stop inappropriate use of networks and 
cyber- based resources. 

c I nstitutionsof H igher E ducation (I H E s) 

Awareness plays an especially important role in 
increasing the cybersecurity of I H E s. A s recent 
experience has shown, organized attackers have 
collectively exploited many insecure computer 
systems traceable to the campus networks of 



higher education as a platform from which to 
launch denial-of-service attacks and other 
threats to unrelated systems on the I nternet. 
Such attacks harm not only the targeted 
systems, but also the owners of those systems 
and those who desire to use their services. I H Es 
are subject to exploitation for two reasons: (1) 
they possess vast amounts of computing power; 
and (2) they allow relatively open access to 
those resources. T he computing power owned 
by I H E s is extensive, covering over 3,000 
schools, many with research and significant 
central computing facilities. 

The higher education community collectively 
has been actively engaged in efforts to organize 

its members and coordinate action to raise 
awareness and enhance cybersecurity on 
America's campuses. M ost notably through 
E D U C A U SE , the community has raised the 
issue of the Strategy's development with top 
leaders of higher education, including the 
American Council on Education and the 
H igher Education IT Alliance. Significantly 
through this effort, top university presidents 
have adopted a 5- point Framework for Action 
that commits them to giving IT security high 
priority and to adopting the policies and 
measures necessary to realize greater system 
security: 

(1) M ake IT security a priority in higher 
education; 

(2) Revise institutional security policy and 
improve the use of existing security 
tools; 

(3) I mprove security for future research and 
education networks; 

(4) I mprove collaboration between higher 
education, industry and government; 
and 

(5) I ntegrate work in higher education with 
the national effort to strengthen critical 
infrastructure. 
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Colleges and universities are encouraged to secure 
their cyber systems by establishing some or all of the 
following as appropriate: (1) oneor morelSACsto 
deal with cyber attacksand vulnerabilities; (2) 
model guidelines empowering Chief Information 
Officers (C I Os) to address cybersecurity; (3) oneor 
more sets of best practices for IT security; and, (4) 
model user awareness programs and materials. 
(A/R 3-5) 

d. Private Sectors 

D H S will work with private sectors on general 
awareness as well as on specific issues impacting 
particular sectors. Private sectors own and 
operate the vast majority of the N ation's cyber- 
space. As long time partners in the effort to 
secure cyberspace, many sectors have developed 
plans in parallel with the National Strategy to 
Secure Cyberspace to help secure their critical 
infrastructures. T he sectors can serve a vital role 
in the reduction of vulnerabilities by creating 
sector- wide awareness of issues that affect 
multiple members. M embers can develop and 
share best practices and work together toward 
common security solutions. For example, 
SCA D A systems are a widespread security issue 
in the energy sector. Solutions are being coordi- 
nated with the D epartment of E nergy and 
across the sector. T he sectors also play a role in 
the identification of research needs. D H S will 
closely coordinate with private sectors on plans 
and initiatives to secure cyberspace. 

A public- private partnership should continue work 
in helping to secure the Nation's cyber infrastrudure 
through partidpation in, as appropriate and 
feasible, a tedinology and R& D gap analysisto 
provide input into the federal cybersecurity researdi 
agenda, coordination on the conduct of assodated 
researdi, and thede/elopment and dissemination of 
best pradicesfor cybersecurity. (A/R 3-6) 

e. Stateand L ocal G overnments 

D H S will implement plans to focus key 
decision makers in stateand local govern- 
ments—such as governors, state legislatures. 



mayors, city managers, and county commis- 
sioners/boards of supervisors— to support 
investment in information systems security 
measures and adopt enforceable management 
policies and practices. 

B. TRAINING 

In addition to raising general awareness, the 
N ation must focus resources on training a 
talented and innovative pool of citizens that can 
specialize in securing the infrastructure. W hile 
the need for this pool has grown quickly with 
the expansion of the I nternet and the perva- 
siveness of computers, networks, and other 
cyber devices, the investment in training has 
not kept pace. U niversities are turning out 
fewer engineering graduates, and much of their 
resources are dedicated to other subjects, such 
as biology and life sciences. T his trend must be 
reversed if the U nited States is to lead the 
world with its cyber economy. 

1. Foster A dequateT raining and Education 
Programs to Support the N ation's 
C ybersecurity N eeds 

Improvements in cybersecurity training will be 
accomplished primarily through the work of 
private training organizations, institutions of 
learning, and the N ation's school systems. 

D H S will also encourage private efforts to 
ensure that adequate opportunities exist for 
continuing education and advanced training in 
the workplace to maintain high skills standards 
and the capacity to innovate. 

T he federal government can play a direct role in 
several ways. First, DH S will implement and 
encourage the establishment of programs to advance 
thetraining of cybersecurity professionals in the 
U nited States, induding coordination with N SF, 
0PM , and N SA, to identify waysto la/ erage the 
exi sti ng C yber C orps Sdiol arshi p for Serv i ce 
program aswell as the various graduate, postdoc- 
toral, senior researdier, and faculty development 
fellowship and traineeship programs created by the 
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Cyber Security Research and D evdopment Act, to 
address these important training and eduation 
worl<force issues. (A/R 3-7) 

2. 1 ncrease the E fficiency of E xisting Federal 
C ybersecurity Training Programs 

Second, DH S will explore tlie benefits of a 
center for the development of cybersecurity 
training practices that would draw together 
expertise and be consistent with the federal 
"build once, use many" approach. D H S, in 
coordination with other agendeswith cybersecurity 
training expertise, will develop a coordination 
medianism linking federal cybersecurity and 
computer forensics training programs. (A/R 3-8) 

C. CERTIFICATION 

1. Promote Private Sector Support for W ell- 
coordinated W idely Recognized Professional 
C ybersecurity C ertifications 

Related to education and training is the need 
for certification of qualified persons. 
Certification can provide employers and 
consumers with greater information about the 
capabilities of potential employees or security 
consultants. C urrently, some certifications for 
cybersecurity workers exist; however, they vary 
greatly in the requirements they impose. For 
example, some programs emphasize broad 
knowledge verified by an extensive multiple- 
choice exam, while others verify in-depth 



practical knowledge on a particular cyber 
component. N o one certification offers a level 
of assurance about a person's practical and 
academic qualifications, similar to those offered 
by the medical and legal professions. 

To address this issue, a number of industry 
stakeholders including representatives of both 
consumers and providers of IT security certifi- 
cations are beginning to explore approaches to 
developing nationally recognized certifications 
and guidelines for certification. 

A spects that warrant consideration by these 
organizations include levels of education and 
experience, peer recognition, continuing 
education requirements, testing guidance, as 
applicable for various levels of certification that 
may be established, and models for adminis- 
tering a certification for IT security 
p rof essi 0 n al s si m i I ar to t h ose su ccessf u 1 1 y 
employed in other professions. D H S and other 
federal agencies, as downstream consumers 
(prospective employers of certified personnel), 
can aid these efforts by effectively articulating 
the needs of the federal IT security community. 

D H S w i II encourage efforts that are needed to bui Id 
foundations for the development of security certifi- 
ation programs that will be broadly accepted by the 
publicand private sed:ors. DH S and other federal 
agendescan aid theseeffortsbyeffedivdy articu- 
lating the needs of the federal IT security 
community. (A/R 3-9) 
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Priority IV: Securing Governments' 
Cyberspace 



Although most critical infrastructures are in the 
private sector, governments at various levels 
perform many key functions. A mong those key 
functions are national defense, homeland 
security emergency response, taxation, 
payments to citizens, central bank activities, 
criminal justice, and public health. All of those 
functions and others now depend upon infor- 
mation networks and systems. T hus, it is the 
duty of governments to secure their information 
systems in order to provide essential services. At 
the federal level it is also required by law. 

The foundation for the federal government's 
cybersecurity requires assigning clear and 
unambiguous authority and responsibility for 



security, holding officials accountable for 
fulfilling those responsibilities, and integrating 
security requirements into budget and capital 
planning processes. 

The federal government will lead by example, 
giving cybersecurity appropriate attention and 
care, and encouraging others to do so. T he 
federal government's procurement practices will 
be used to help promote cybersecurity For 
example, federal agencies should become early 
adopters of new, more secure systems and 
protocols where appropriate. 

State and local governments can have a similar 
effect on cybersecurity T he federal government 
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is ready to partner with both state and local 
governments to promote cybersecurity. 

W ithin the federal government the D i rector of 
0MB is responsible for ensuring that 
department and agency heads carry out their 
legal responsibilities to secure IT systems, with 
the exception of classified systems of national 
security departments and agencies that are the 
responsibility of the Secretary of D efense and 
the D i rector of C entral I ntelligence. 

A. THE FEDERAL GOVERNMENT 

Beginning with the Budget Blueprint in 
February 2001, continuing in the fiscal year 
2002 and 2003 budgets, and the M anagement 
Reform Agenda, this administration has set a 
clear agenda for government reform. T hese 
reforms include unifying federal government 
security and critical infrastructure protection 
initiatives, and making strong security a 
condition of funding for all federal investments 
in information- technology systems. 

The National Strategy to Secure Cyberspace 
supports these efforts by working to ensure 
that the federal government can identify 
vulnerabilities, anticipate threats, mitigate 
attacks when possible, and provide for 
continuity of operations. 

To overcome deficiencies in cybersecurity 
0MB established a governmentwide IT 
security program, as required by law, to set IT 
security policies and perform oversight of 
federal agency compliance with security 
requirements. T his program is based on a cost- 
effective, risk- based approach. Agencies must 
ensure that security is integrated within every 
IT investment. This approach is designed to 
enable federal government business operations, 
not to unnecessarily impede those functions. 



1. C ontinuously AssessT hreatsand 
Vulnerabilities to Federal C yber Systems 

A key step to ensuring the security of federal 
information technology is to understand the 
current state of the effectiveness of security and 
privacy controls in individual systems. 0 nee 
identified, it is equally important to maintain 
that understanding through a continuing cycle 
of risk assessment. T his approach is reflected in 
0MB security policies, and is featured in 
FISM A. 

0 M B 's first report to C ongress on government 
information security reform in February 2002 
identified six common governmentwide security 
performance gaps. 

T hese weaknesses included: 

(1) Lack of senior management attention; 

(2) Lack of performance measurement; 

(3) Poor security education and awareness; 

(4) Failure to fully fund and integrate 
security into capital planning and 
investment control; 

(5) Failure to ensure that contractor services 
are adequately secure; and 

(6) Failure to detect, report, and share infor- 
mation on vulnerabilities. 

These gaps are not new or surprising. 0 MB, 
along with the General Accounting Office and 
agency inspectors general, has found them to be 
problems for at least 6 years. T he evaluation 
and reporting requirements established by law 
have given 0 M B and federal agencies an 
opportunity to develop a comprehensive, cross- 
government baseline of agency IT security 
performance that had not been previously 
available. M ore importantly through the devel- 
opment and use of corrective action plans, the 
federal government has a uniform process to 
track progress in fixing those weaknesses. 
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Before 0MB approves funding for a system an 
agency must demonstrate that it has resolved 
outstanding security issues related to the 
system. Additionally agencies must ensure that 
security has been incorporated and security 
costs reported for every IT investment through 
the federal capital planning process. OM B 
policy stipulates that specific I ifecycle security 
costs be identified, built into, and funded as 
part of each system investment. Failure to do so 
results in disapproval of funding for the entire 
system. 

2. Agency- Specific Processes 

T he federal government must have a compre- 
hensive and crosscutting approach to improving 
cybersecurity T hree processes central to 
improving and maintaining federal cyberse- 
curity in the agencies are: identifying and 
documenting enterprise architectures; continu- 
ously assessing threats and vulnerabilities, and 
understanding the risks they pose to agency 
operations and assets; and implementing 
security controls and remediation efforts to 
reduce and manage those risks. E ach agency 
will be expected to create and implement this 
formal three- step process to achieve greater 
security 

a. Identify and D ocument E nterprise Architectures 

0MB policy requires each agency to identify 
and document their enterprise architecture, 
including an authoritative inventory of all 
operations and assets, all agency IT systems, 
critical business processes, and their inter- 
relationships with other organizations. This 
process yields a governmentwide view of critical 
security needs. 

Through the budget process, the federal 
government will drive agency investments in 
commercially available tools to improve their 
architectures and system configuration. 
Configuration management and control has 
incidental and important benefits to security 
For example, controlling system configuration 



permits agencies to more effectively and 
efficiently enforce policies and permissions and 
more easily install antivirus definitions and 
other software updates and patches across an 
entire system or network. 

b. Continuously A ssessT tireats and Vulnerabilities 

Commercially available automated auditing and 
reporting mechanisms should be used to 
validate the effectiveness of the security controls 
across a system and are essential to continuously 
understand risks to those systems. T hese tools 
can help in analyzing data, providing forward- 
looking assessments, and alerting agencies of 
unacceptable risks to their operations. 

Federal agendeswill continue to expand the use of 
automated, enterprise- wide security assessment and 
security policy enforcement tools and actively deploy 
threat management tools to deter attad<s T he 
federal government will determine whether spedfic 
actions are necessary (eg., through the policy or 
budget processes) to promote the greater use of these 
tools (A/R 4-1) 

c I mplement Security C ontrolsand R emediation 
Efforts 

T he implementation of security controls that 
maintain risk at an acceptable level can often be 
accomplished in a relatively brief amount of 
time. H owever, the remediation of vulnerabil- 
ities is a much more complex challenge. 
Software is constantly changing and each new 
upgrade can introduce new vulnerabilities. Asa 
result, vulnerabilities must be assessed continu- 
ously Remediation often involves "patching" or 
installing pieces of software or code that are 
used to update the main program. T he remedi- 
ation of federal systems must be planned in a 
consistent fashion. 
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B. ADDITIONAL GOVERN M ENTW IDE 
CHALLENGES 

I n addition, there are four specific government- 
wide security challenges that need to be 
addressed. Each agency, as appropriate, should 
work with OM B to resolve these challenges. 

1. Authenticate and M aintain Authorization 
for U sers of Federal Systems 

Identifying and authenticating each system user 
is the first link in the system security chain, and 
it must take place whenever system access is 
initiated. To establish and maintain secure 
system operations, organizations must ensure 
that the people on the system are who they say 
they are and are doing only what they are 
authorized to do. M any authentication proce- 
dures used today are inadequate. Passwords are 
not being changed from the system default, are 
often incorrectly configured, and are rarely 
updated. 

The federal government will continue to 
promote a continuing chain of security for all 
federal employees and processes, including the 
use, where appropriate, of biometric smart cards 
for access to buildings and computers, and 
authentication from the moment of computer 
log on. T he benefits of such an approach are 
clear. By promoting multi- layered identification 
and authentication— the use of strong 
passwords, smart tokens, and biometrics - the 
federal government will eliminate many signif- 
icant security problems that it has today 

T hrough the ongoi ng E - A uthenti cat! on 1 n 1 ti at! ve, 
the federal government will review theneedfor 
stronger acoess control and authentication; explore 
the extent tow hi di all departments can employ the 
same physical and logical access control tools and 
authentication medianisms; and consequently, 
further promote consistency and interoperability. 
(A/R 4-2) 



The National Information 
Assurance Partnership (NIAP) 

N lAP is a U.S. Government initiative to 
meet testing, evaluation, and assessment 
needs of both information technology (IT ) 
producers and consumers. NIAP is a 
collaboration between the N ational 
I nstitute of Standards and Technology 
(N I ST ) and the N ational Security A gency 
(N SA) in fulfilling their respective respon- 
sibilities under the Computer Security Act 
of 1987. 

The partnership, originated in 1997, 
combines the extensive security experience 
of both agencies to promote the devel- 
opment of technically sound security 
requirements for IT products and systems 
and appropriate metrics for evaluating those 
products and systems. T he long-term goal 
of N lAP is to help increase the level of 
trust consumers have in their information 
systems and networks through the use of 
cost-effective security testing, evaluation, 
and assessment programs. NIAP continues 
to build important relationships with 
government agencies and industry in a 
variety of areas to help meet current and 
future IT security challenges affecting the 
Nation's critical information infrastructure. 
M ore information on the partnership can 
be found at http://www.niap.nist.gov. 



2. Secure Federal W ireless L ocal A rea 
N etworks 

W hen using wireless technology the federal 
government will carefully evaluate the risks 
associated with using such technology for 
critical functions. T he N ational I nstitute of 
Standards and Technology (N I ST ) notes that 
wireless communications can be intercepted 
and that wireless networks can also experience 
denial -of- service attacks. Federal agencies 
should use the N I ST findings and 
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recommendations on wireless systems as a guide 
to the operation of wireless networks. 

Federal agendes should consider installing systems 
that continuously died< for unauthorized connec- 
tions to their networks Agency policy and 
procedures should reflect careful consideration of 
additional risk redudion measures, induding the 
use of strong encryption, bi-directional authenti- 
cation, shielding standards and other tedinical 
security considerations, configuration management, 
intrusion deted:ion, inddent handling, and 
computer security awareness and training 
programs (A/R 4-3) 

3. 1 mprove Security in G overnment 
0 utsourcing and Procurement 

T h rough a joint effort of 0 M B 's 0 ffice of 
Federal Procurement Policy, the Federal 
Acquisition Regulations Council, and the 
Executive Branch I nformation Systems Security 
Committee, the federal government is identi- 
fying ways to improve security in agency 
contracts and evaluating the overall federal 
procurement process as it relates to security 
A gencies' mai ntenance of security for 
outsourced operations was cited as one of the 
key weaknesses identified in 0 M B's February 
2002 security report to C ongress. 

Additionally, the federal government will be 
conducting a comprehensive review of theN ational 
Information Assurance Partnership (N lAP), to 
determine the extent to whidi it isadequatdy 
addressing the continuing problem of security flaws 
in commerdal software produds This review will 
indude lessons learned from implementation of the 
D efenseD epartment'sj uly 2002 policy requiring 
theaquisition of produds reviewed under the 
NIAP or similar e/aluation processes. (A/R 4-4) 

D epartment of D efense (D 0 D ) policy stipu- 
lates that if an evaluated product of the type 
being sought is available for use, then the DOD 
component must procure the evaluated product. 
If no evaluated product is currently available, 
the component must require prospective 



vendors to submit their product for evaluation 
to be further considered. 

Following this program review, the government 
will evaluate the cost effectiveness of expanding 
the program to cover all federal agencies. If this 
proves workable, it could both improve 
government security and leverage the 
government's significant purchasing power to 
influence the market and begin to improve the 
security of all consumer information technology 
products. 

4. D evelop Specific C riteria for I ndependent 
Security R eviews and R evi ewers and 
C ertification 

W ith the growing emphasis on security comes 
the corresponding need for expert independent 
verification and validation of agency security 
programs and practices. F ISM A and 0 M B's 
implementing guidance require that agencies' 
program officials and C 10 s review at least 
annually the status of their programs. Few 
agencies have available personnel resources to 
conduct such reviews, and thus they frequently 
contract for such services. Agencies and 0 M B 
have found that contractor security expertise 
varies widely from the truly expert to less than 
acceptable. M oreover, many independent verifi- 
cation and validation contractors are also in the 
business of providing security program imple- 
mentation services; thus, their program reviews 
may be biased toward their preferred way of 
implementing security 

The federal government will explore whether 
privatesedor security service providers to the 
federal government should be certified as meeting 
certain minimum capabilities, induding the extent 
to whidi they are adequately independent. (A/R 4-5) 

C. STATE AND LOCAL GOVERNMENTS 

American democracy is rooted in the precepts 
of federalism— a system of government in 
which power is allocated between federal and 
state governments. T his structure of overlapping 
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federal, state, and local governance has more 
than 87,000 different jurisdictions and provides 
unique opportunity and challenges for 
cyberspace security efforts. State and local 
governments, I ike the federal government, 
operate large, interconnected information 
systems upon which critical government 
services depend. 

States provide services that make up the "public 
safety net" for millions of Americans and their 
families. Services include essential social 
support activities as well as critical public safety 
functions, such as law enforcement and 
emergency response services. States also own 
and operate critical infrastructure systems, such 
as electric power and transmission, trans- 
portation, and water systems. T hey play a 
catalytic role in bringing together the different 
stakeholders that deliver critical services within 
their state to prepare for, respond to, manage, 
and recover from a crisis. Delivering critical 
services unique to their roles and responsibilities 
within our federalist system makes state 
government a critical infrastructure sector in its 
own right. 

M any of these critical functions carried out by 
states are inexorably tied to IT — including 
making payments to welfare recipients, 
supporting law enforcement with electronic 
access to criminal records, and operating state- 
owned utility and transportation services. 
Preventing cyber attacks and responding 
quickly when they do occur, ensures that these 
24/7 systems remain available and in place to 
provide important services that the public needs 
and expects. I nformation technology systems 



have the potential for bringing unprecedented 
efficiency and responsiveness from state govern- 
ments for their residents. Citizen confidence in 
the integrity of these systems and the data 
collected and maintained by them is essential 
for expanded use and capture of these potential 
benefits. 

W ith an increasing dependence on integrated 
systems, state, local, and federal agencies have 
to collectively combat cyber attacks. Sharing 
information to protect systems is an important 
foundation for ensuring government continuity 
States have adopted several mechanisms to 
facilitate the sharing of information on cyber 
attacks and in reporting incidents. 

These mechanisms are continually modified 
and improved as new policy emerges and as 
technological solutions become available. In 
addition, states are exploring options for 
improving information sharing both internally 
and externally T hese options include enacting 
legislation that provides additional funding and 
training for cybersecurity and forming partner- 
ships across state, local, and federal 
governments to manage cyber threats. 

1. D H S will W ork with State and L ocal 
G overnments and E ncouragethem to 
C onsider E stablishing I T Security Programs 
and to Participate in I SAC s with Similar 
G overnments 

State and local governments are encouraged to 
establish IT security programs for their departments 
and agendes, induding awareness, audits, and 
standards; and to partidpatein the established 
ISACswith similar governments (A/R 4-6) 
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Priority V: National Security and 
International Cyberspace Security 
Cooperation 



America's cyberspace is linl<ed to that of the rest 
of the world. Attacks cross borders at light 
speed. Distinguishing between malicious 
activity originating from criminals, nation state 
actors, and terrorists in real time is difficult. 
This requires America to be prepared to defend 
critical networks and respond to attacks in each 
case. Systems supporting this country's critical 
national defense and the intelligence 
community must be secure, reliable, and 
resilient— able to withstand attack regardless of 
the origin of attack. America must also be 
prepared to respond as appropriate to attacks 
against its critical infrastructure. At the same 



time, A merica must be ready to lead global 
efforts, working with governments and industry 
alike, to secure cyberspace that is vital to the 
operation of the world's economy and markets. 
G lobal efforts require raising awareness, 
promoting stronger security standards, and 
aggressively investigating and prosecuting 
cybercrime. 

A. ENSURING AMERICA'S NATIONAL 
SECURITY 

We face adversaries, including nation states and 
terrorists, who could launch cyber attacks or 
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seek to exploit our systems. I n peacetime 
America's enemies will conduct espionage 
against our government, university research 
centers, and private companies. Activities would 
likely include mapping U.S. information 
systems, identifying key targets, lacing our 
infrastructure with "back doors" and other 
means of access. I n wartime or crisis, adver- 
saries may seek to intimidate by attacking 
critical infrastructures and key economic 
functions or eroding public confidence in infor- 
mation systems. T hey may also attempt to slow 
the U.S. military response by disrupting systems 
of the D epartment of D efense (D oD ), the 
Intelligence Community, and other government 
organizations as well as critical infrastructures. 

America has already experienced significant 
national cybersecurity events. In 1998, attackers 
carried out a sophisticated, tightly orchestrated 
series of cyber intrusions into the computers of 
D oD , N A SA , and government research labs. 
T he intrusions were targeted against those 
organizations that conduct advanced technical 
research on national security including atmos- 
pheric and oceanographic topics as well as 
aircraft and cockpit design. 

T he U nited States must have the capability to 
secure and defend systems and infrastructures 
that are deemed national security assets, and 
develop the capability to quickly identify the 
origin of malicious activity We must improve 
our national security posture in cyberspace to 
limit the ability of adversaries to conduct 
espionage or pressure the U nited States. 

1. Strengthen C ounterintelligence E fforts in 
C yberspace 

TheFBI and intelligencE community should ensure 
a strong CDunterintelligencE posture to counter 
cyber-based intelligencEcolled:ion against the 
U nited States government, and commerdal and 
educational organizations. This effort must indude 
a deeper understandingof theapability and intent 
of our adversaries to use cyberspace as a means for 
espionage (A/R 5-1) 



2. Improve Attack Attribution and Prevention 
C apabilities 

The intelligence community, DoD, and the law 
enforcement agendesmust improve the Nation's 
abi li ty to qui d<ly attri bute the source of threateni ng 
attad<sor actionsto enable timely and effed:ive 
response. Consistent with theNational Security 
Strategy, these efforts will also seek to develop 
apabilitiesto pra/ent attad<sfrom readiing critical 
systems and infrastrudures. (A/R 5-2) 

3. ImproveC oordination for Responding to 
C yber Attaclcs witliin tlie U nited States 
N ational Security C ommunity 

T he U nited States must improve interagency 
coordination between law enforcement, national 
security, and defense agendesinvolving cyber- based 
attad<sand espionage, ensuring that criminal 
matters are referred, as appropriate among those 
agendes. The National Security Cound I and the 
Office of Homeland Security will lead a study to 
ensure that appropriate median isms are in place. 
(A/R 5-3) 

4. Reserve the Riglit to Respond in an 
AppropriateM anner 

When a nation, terrorist group, or other adversary 
attad<s the U nited States through cyberspace, the 
U.S. responseneed not belimited to criminal prose- 
cution. The U nited States reserves the right to 
respond in an appropriate manner. T he U nited 
States will be prepared for sudi contingendes. (A/R 
5-4) 

B. INTERNATIONAL COOPERATION 

T he D epartment of State will lead federal 
efforts to enhance international cyberspace 
security cooperation. Key initiatives include: 

1. Woric through International 0 rganizations 
and with I ndustry to Facilitate and to 
Promote a G lobal "C ulture of Security" 

America's interest in promoting global cyberse- 
curity extends beyond our borders. 0 ur 
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information infrastructure is directly linl<ed 
with C anada, M exico, E urope, Asia, and South 
A merica. T he U nited States and world 
economy increasingly depend upon global 
markets and multinational corporations 
connected via information networks. T he vast 
majority of cyber attacks originates or passes 
through systems abroad, crosses several borders, 
and requires international investigative cooper- 
ation to be stopped. 

Global networks supporting critical economic 
and security operations must be secure and 
reliable. Securing global cyberspace will require 
international cooperation to raise awareness, 
increase information sharing, promote security 
standards, and investigate and prosecute those 
who engage in cybercrime. T he U nited States is 
committed to working with nations to ensure 
the integrity of the global information networks 
that support critical economic and security 
infrastructure. We are also ready to utilize 
government- sponsored organizations such as 
the 0 rganization of E conomic C ooperation 
and Development (OECD), G-8, the Asia 
Pacific Economic Cooperation forum (A PEC), 
and the 0 rganization of A merican States 
(OAS), and other relevant organizations to 
facilitate global coordination on cybersecurity 
In order to facilitate coordination with the 
private sector, we will also utilize such organiza- 
tions as the Transatlantic Business D iaiogue. 

2. D evdop Secure N etworks 

The U nited States will engage in cooperative 
efforts to solve technical, scientific, and policy- 
related problems to assure the integrity of 
information networks. We will encourage the 
development and adoption of international 
technical standards and facilitate collaboration 
and research among the world's best scientists 
and researchers. We will promote such efforts as 
the 0 E C D 's G uiddi nes for the Security of 
Information Systems and Ndworks, which strive 
to inculcate a "culture of security" across all 
participants in the new information society 



Because most nations' key information 
infrastructures reside in private hands, the 
U nited States will seek the participation of 
U nited States industry to engage foreign 
counterparts in a peer- to- peer dialogue, with 
the twin objectives of making an effective 
business case for cybersecurity, and explaining 
successful means for partnering with 
government on cybersecurity 

The United States will work through appropriate 
international organizationsand in partnership 
with industry to fadlitatedialogue between foreign 
publicand private sectors on information infra- 
structure protection and promote a global "culture of 
security." (A/R 5-5) 

3. Promote N orth A merican C yberspace 
Security 

TheU nited Stateswill work with Canada and 
M exi CO to make N orth A meri ca a "Safe C yber 
Zone"Wewill expand programs to identify and 
seoureaitical common networks that underpin 
telecommunications, energy, transportation, 
banking and finance systems, emergency services, 
food, publichealth, and water systems. (A/R 5-6) 

4. Foster tlie E stabiisliment of N ational and 
International Watch-and- Warning 

N etworks to D etect and Prevent C yber 
A ttacks as they E merge 

TheUnited Stateswill urgeeadi nation to build on 
the common Y2K experienceand appoint a 
osntralized point- of- contact who can act asa 
liaison between domesticand global cybersecurity 
efforts Establishing points of con tad can greatly 
enhance the inter nation a I coordination and 
resolution of cyberspace security issues. Wewill also 
encourage eadi nation to develop its own watdi- 
and-warning network capableof informing 
government agendes, the public, and other countries 
about impending attad<sor viruses. (A/R 5-7) 

To fadlitatereal-timesharing of the threat 
information as it comes to light, the U nited States 
will foster the establishment of an international 
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ndwork apableof receiving, assessing, and dissem- 
inating tliis information globally. Sudi a network 
ran build on theapabilitiesof nongovernmental 
institutions sudi astheForum of I nd dent Response 
and SeourityTeams (A/R 5-8) 

TheU nited Stateswill encourage regional organi- 
zations, sudi as the APE C, EU, and OAS, toeadi 
form or designate a committee responsible for cyber- 
seairity. Such committees would also benefit from 
establishing parallel working groupswith represen- 
tatives from the private sedor. TheU nited States 
will also encourage regional organizations- sudi as 
theAPE C , E U , and OAS- to establish a joint 
committee on cybersecurity with representatives 
from government and the private sedor. (A/R 5-9) 

5. E ncourage 0 ther N ations to A ccede to the 
C ouncil of E urope C onvention on 
C ybercrime, or to E nsurethat their L aws 
and Procedures are at L east as 
Comprehensive 

The United Stateswill actively foster 
international cooperation in investigating and 
prosecuting cybercrime. TheU nited States has 



signed and supports the recently concluded 
Council of E urope C onvention on Cybercrime, 
which requires countries to make cyber attacks 

a substantive criminal offense and to adopt 
procedural and mutual assistance measures to 
better combat cybercrime across international 
borders. 

TheU nited Stateswill encourage other nationsto 
accedetotheCoundl of Europe Convention on 
Cybercrime or to ensure that their lawsand proce- 
dures are at least as oomprehensi ve (A/R 5- 10) 

0 ngoing multilateral efforts, such as those in 
theG-8, APEC, and OECD are also 
important. The United Stateswill work to 
implement agreed-upon recommendations and 
action plans that are developed in these forums. 
Among these initiatives, the United States in 
particular will urge countries to join the 24- 
hour, high-tech crime contact network begun 
within the G -8, and now expanded to the 
C ouncil of E urope membership, as well as 
other countries. 
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Conclusion: The Way Forward 



Our reliance on cyberspace will only continue 
to grow in the years ahead. Cyberspace and the 
networks that connect to it now support our 
economy and provide for our national and 
homeland defense. This national dependency 
must be managed with continuous efforts to 
secure the cyber systems that control our infra- 
structures. 

Securing cyberspace is a complex and evolving 
challenge. T he N ational Strategy to Secure 
Cyberspace was developed in close collaboration 
with key sectors of the economy that rely on 
cyberspace, state and local governments, 
colleges and universities, and concerned organi- 
zations.Town hall meetings were held around 
the country and fifty- three clusters of key 
questions were published to spark public debate. 



I n addition, a draft version of the N ational 
Strategy to Secure C yberspaoe was shared with the 
N ation for public comment. T he response has 
been overwhelming. 

The public-private partnerships that formed in 
response to the President's call have developed 
their own strategies to protect the parts of 
cyberspace on which they rely T his unique 
partnership and process was and will continue 
to be necessary because the majority of the 
country's cyber resources are controlled by 
entities outside of government. For the N ational 
Strategy to Secure C yberspaoe to work it must be a 
plan in which a broad cross section of the 
country is both invested and committed. 
Accordingly the dialogue about how we secure 
cyberspace will continue. 
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The National Strategy to Secure Cyberspace 
identifies five national priorities that will help 
us achieve this ambitious goal. These are: (1) a 
national cyberspace security response system; 
(2) a national cyberspace security threat and 
vulnerability reduction program; (3) a national 
cyberspace security awareness and training 
program; (4) securing governments' cyberspace; 
and, (5) national security and international 
cyberspace security cooperation. T hese five 
priorities will serve to prevent, deter, and 
protect against attacks. I n addition, they also 
create a process for minimizing the damage and 
recovering from attacks that do occur. 

The N ational Strategy to Secure Cyberspace is, 
however, only a first step in a long-term effort 
to secure our information infrastructures. T he 
federal executive branch will use a variety of 
tools to implement this Strategy. T he 
Administration will work with Congress to 
craft future federal security budgets based on 
the Strategy, providing every department and 
agency involved in cybersecurity with resources 
to execute its responsibilities. Each lead 
department and agency will plan and program 
to execute the initiatives assigned by the 
National Strategy to Secure Cyberspace 

W ithin the federal government D H S will play a 
central role in implementing the N ational 
Strategy to Secure Cyberspace. In addition to 
executing its assigned initiatives, the 
D epartment would also serve as the primary 
federal point- of- contact for state and local 
governments, the private sector, and the 
American people on issues related to cyberspace 
security. Working with the W hite H ouse, the 



D epartment therefore would coordinate and 
support implementation of non-federal tasks 
recommended in the National Strategy to Secure 
C yberspace 

Each department and agency will also be 
accountable for its performance on cyberse- 
curity efforts. T he federal government will 
employ performance measures— and encourage 
the same for state and local governments— to 
evaluate the effectiveness of the cybersecurity 
programs outlined in this Strategy. These 
performance measures will allow agencies to 
measure their progress, make resource allocation 
decisions, and adjust priorities accordingly. 

Federal, state, and local governments, as well as 
organizations and people all across the U nited 
States will continue to work to improve cyber- 
space security A s these strategies and plans are 
implemented, we will begin to incrementally 
reduce threats and vulnerabilities. 

Cybersecurity and personal privacy need not be 
opposing goals. Cyberspace security programs 
must strengthen, not weaken, such protections. 
T he federal government will continue to 
regularly meet with privacy advocates to discuss 
cybersecurity and the implementation of this 
Strategy. 

For the foreseeable future, two things will be 

true: A merica will rely upon cyberspace and the 
federal government will seek a continuing broad 
partnership to develop, implement, and refine 
the N ational Strategy to Secure Cyberspace. 
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Actions and Recommendations (A/R) 
Summary 



Priority I: A National Cyberspace 
Security Response System 

A/R 1-1: D H S will create a single point-of- 
contact for the federal government's interaction 
with i ndustry and other partners for 24 x7 
functions, including cyberspace analysis, 
warning, information sharing, major incident 
response, and national- level recovery efforts. 
Private sector organizations, which have major 
contributions for those functions, are 
encouraged to coordinate activities, as permitted 
by law, in order to provide a synoptic view of 
the health of cyberspace on a 24 x 7 basis. 

A/R 1-2: As outlined in the 2003 budget, the 
federal government will complete the instal- 
lation of C W I N to key government 
cybersecurity- related network operation centers, 
to disseminate analysis and warning infor- 
mation and perform crisis coordination. The 
federal government will also explore linking the 
ISACstoCWIN. 

A/R 1-3: To test civilian agencies' security 
preparedness and contingency planning, D H S 
will use exercises to evaluate the impact of cyber 
attacks on governmentwide processes. 
Weaknesses discovered will be included in 
agency corrective action plans and submitted to 
the 0 M B. D H S also will explore such exercises 
as a way to test the coordination of public and 
private incident management, response and 
recovery capabilities. 

A/R 1-4: Corporations are encouraged to 
regularly review and exercise IT continuity 
plans and to consider diversity in IT service 
providers as a way of mitigating risk. 



A/R 1-5: 1 nfrastructure sectors are encouraged 
to establish mutual assistance programs for 
cybersecurity emergencies. D oj and the Federal 
Trade Commission should work with the 
sectors to address barriers to such cooperation, 
as appropriate. I n addition, D H S's I nformation 
A nalysis and I nfrastructure Protection 
D irectorate will coordinate the development 
and regular update of voluntary joint 
government- industry cybersecurity contingency 
plans, including a plan for recovering I nternet 
functions. 

A/R 1-6: DH 5 will raise awareness about the 
removal of impediments to information sharing 
about cybersecurity and infrastructure vulnera- 
bilities between the public and private sectors. 
T he D epartment will also establish an infra- 
structure protection program office to manage 
the information flow, including the devel- 
opment of protocols for how to care for 
"voluntarily submitted critical infrastructure 
information." 

A/R 1-7: Corporations are encouraged to 
consider active involvement in industrywide 
programs to share information on IT security, 
including the potential benefits of joining an 
appropriate I SAC. Colleges and universities are 
encouraged to consider establishing: (1) one or 
more I SAC s to deal with cyber attacks and 
vulnerabilities; and, (2) an on-call point-of- 
contact to I nternet service providers and law 
enforcement officials in the event that the 
school's IT systems are discovered to be 
launching cyber attacks. 
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Priority II: A National Cyberspace 
Security Threat and Vulnerability 
Reduction Program 

A/R 2-1: DoJ and other appropriate agencies 
will develop and implement efforts to reduce 
cyber attacks and cyber threats through the 
following means: (1) identifying ways to 
improve information sharing and investigative 
coordination within the federal, state, and local 
law enforcement community working on critical 
infrastructure and cyberspace security matters, 
and with other agencies and the private sector; 

(2) exploring means to provide sufficient inves- 
tigative and forensic resources and training to 
facilitate expeditious investigation and 
resolution of critical infrastructure incidents; 
and, (3) developing better data about victims of 
cybercrime and intrusions in order to under- 
stand the scope of the problem and be able to 
track changes over time. 

A/R 2-2: D H S, in coordination with appro- 
priate agencies and the private sector, will lead 
in the development and conduct of a national 
threat assessment including red teaming, blue 
teaming, and other methods to identify the 
impact of possible attacks on a variety of 
targets. 

A/R 2-3: T he D epartment of C ommerce will 
form a task force to examine the issues related 
to I Pv6, including the appropriate role of 
government, international interoperability 
security in transition, and costs and benefits. 
The task force will solicit input from potentially 
impacted industry segments. 

A/R 2-4: D H S, in coordination with the 
Commerce D epartment and appropriate 
agencies, will coordinate public- private partner- 
ships to encourage: (1) the adoption of 
improved security protocols; (2) the devel- 
opment of more secure router technology; and, 

(3) the adoption by I SPs of a "code of good 
conduct," including cybersecurity practices and 
security related cooperation. D H 5 will support 



these efforts as required for their success, 
subject to other budget considerations. 

A/R 2-5: D H S, in coordination with DOE and 
other concerned agencies and in partnership 
with industry will develop best practices and 
new technology to increase security of 
D C S/5C A D A , to determi ne the most critical 
DCS/SCADA-related sites, and to develop a 
prioritized plan for short-term cybersecurity 
improvements in those sites. 

A/R 2-6: DH S will work with the National 
Infrastructure Advisory Council and private 
sector organizations to develop an optimal 
approach and mechanism for vulnerability 
disclosure. 

A/R 2-7: G SA will work with D H S on an 
improved approach to implementing a patch 
clearinghouse for the federal government. D H 5 
will also share lessons learned with the private 
sector and encourage the development of a 
voluntary industry-led, national effort to 
develop a similar clearinghouse for other sectors 
including large enterprises. 

A/R 2- 8: The software industry is encouraged 
to consider promoting more secure "out-of-the- 
box" installation and implementation of their 
products, including increasing: (1) user 
awareness of the security features in products; 
(2) ease- of- use for security functions; and, (3) 
where feasible, promotion of industry guidelines 
and best practices that support such efforts. 

A/R 2-9: D H S will establish and lead a public- 
private partnership to identify cross- sectoral 
interdependencies both cyber and physical. T he 
partnership will develop plans to reduce related 
vulnerabilities in conjunction with programs 
proposed in the N ational Strategy for 
H omeland Security T he N ational 
Infrastructure Simulation and Analysis Center 
in D H S will support these efforts by developing 
models to identify the impact of cyber and 
physical interdependencies. 
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A/R 2-10: D H S also will support, when 
requested and as appropriate, voluntary efforts 
by owners and operators of information system 
networks and network data centers to develop 
remediation and contingency plans to reduce 
the consequences of large-scale physical damage 
to facilities supporting such networks, and to 
develop appropriate procedures for limiting 
access to critical facilities. 

A/R 2-11: To meet these needs, the D i rector of 
OSTP will coordinate the development, and 
update on an annual basis a federal government 
research and development agenda that includes 
near-term (1-3 years), mid- term (3-5 years), 
and later (5 years out and longer) IT security 
research for F iscal Year 2004 and beyond. 
Existing priorities include, among others, 
intrusion detection, Internet infrastructure 
security (including protocols such as BG P and 
D N S), application security D oS, communica- 
tions security (including SCADA system 
encryption and authentication), high- assurance 
systems, and secure system composition. 

A/R 2-12: To optimize research efforts relative 
to those of the private sector, D H S will ensure 
that adequate mechanisms exist for coordi- 
nation of research and development among 
academia, industry and government, and will 
develop new mechanisms where needed. 

A/R 2-13: T he private sector is encouraged to 
consider including in near-term research and 
development priorities, programs for highly 
secure and trustworthy operating systems. If 
such systems are developed and successfully 
evaluated, the federal government will, subject 
to budget considerations, accelerate 
procurement of such systems. 

A/R 2-14: D H S will facilitate a national 
public- private effort to promulgate best 
practices and methodologies that promote 
integrity security and reliability in software 
code development, including processes and 
procedures that diminish the possibilities of 



erroneous code, malicious code, or trap doors 
that could be introduced during development. 

A/R 2-15: DH S, in coordination with OSTP 
and other agencies, as appropriate, will facilitate 
communication between the public and private 
research and the security communities, to 
ensure that emerging technologies are periodi- 
cally reviewed by the appropriate body within 
the N ational Science and Technology C ouncil, 
in the context of possible homeland and cyber- 
space security implications, and relevance to the 
federal research agenda. 

Priority III: A National Cyberspace 
Security Awareness and Training 
Program 

A/R 3-1: D H S, working in coordination with 
appropriate federal, state, and local entities and 
private sector organizations, will facilitate a 
comprehensive awareness campaign including 
audience- specific awareness materials, 
expansion of the StaySafeO nline campaign, and 
development of awards programs for those in 
industry making significant contributions to 
security 

A/R 3-2: D H S, in coordination with the 
Department of Education, will encourage and 
support, where appropriate subject to budget 
considerations, state, local, and private organi- 
zations in the development of programs and 
guidelines for primary and secondary school 
students in cybersecurity 

A/R 3-3: H ome users and small busi nesses can 
help the N ation secure cyberspace by securing 
their own connections to it. Installing firewall 
software and updating it regularly maintaining 
current antivirus software, and regularly 
updating operating systems and major applica- 
tions with security enhancements are actions 
that individuals and enterprise operators can 
take to help secure cyberspace. To facilitate such 
actions, DH S will create a public- private task 
force of private companies, organizations, and 
consumer users groups to identify ways that 
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providers of information technology products 
and services, and other organizations can make 
it easier for home users and small businesses to 
secure their systems. 

A/R 3-4: L arge enterprises are encouraged to 
evaluate the security of their networks that 
impact the security of the N ation's critical infra- 
structures. Such evaluations might include: (1) 
conducting audits to ensure effectiveness and 
use of best practices; (2) developing continuity 
plans which consider offsite staff and 
equipment; and, (3) participating in indus- 
trywide information sharing and best practices 
dissemination. 

A/R 3-5: Colleges and universities are 
encouraged to secure their cyber systems by 
establishing some or all of the following as 
appropriate: (1) one or morelSACsto deal 
with cyber attacks and vulnerabilities; (2) model 
guidelines empowering C hief I nformation 
0 fficers (C 1 0 s) to address cybersecurity; (3) 
one or more sets of best practices for IT 
security; and, (4) model user awareness 
programs and materials. 

A/R 3-6: A public- private partnership should 
continue work in helping to secure the Nation's 
cyber infrastructure through participation in, as 
appropriate and feasible, a technology and 
R& D gap analysis to provide input into the 
federal cybersecurity research agenda, coordi- 
nation on the conduct of associated research, 
and the development and dissemination of best 
practices for cybersecurity 

A/R 3-7: D H S will implement and encourage 
the establishment of programs to advance the 
training of cybersecurity professionals in the 
United States, including coordination with 
N SF, 0 PM , and N SA, to identify ways to 
leverage the existing Cyber Corps Scholarship 
for Service program as well as the various 
graduate, postdoctoral, senior researcher, and 
faculty development fellowship and traineeship 
programs created by the C yber Security 
Research and D evelopment Act, to address 



these important training and education 
workforce issues. 

A/R 3-8: D H S, in coordination with other 
agencies with cybersecurity training expertise, 
will develop a coordination mechanism linking 
federal cybersecurity and computer forensics 
training programs. 

A/R 3-9: D H S will encourage efforts that are 
needed to build foundations for the devel- 
opment of security certification programs that 
will be broadly accepted by the public and 
private sectors. D H S and other federal agencies 
can aid these efforts by effectively articulating 
the needs of the Federal IT security community 

Priority IV: Securing Governments' 
Cyberspace 

A/R 4-1: Federal agencies will continue to 
expand the use of automated, enterprise- wide 
security assessment and security policy 
enforcement tools and actively deploy threat 
management tools to deter attacks. T he federal 
government will determine whether specific 
actions are necessary (e.g., through the policy or 
budget processes) to promote the greater use of 
these tools. 

A/R 4-2: Through the ongoing E- 
Authenti cation initiative, the federal 
government will review the need for stronger 
access control and authentication; explore the 
extent to which all departments can employ the 
same physical and logical access control tools 
and authentication mechanisms; and, conse- 
quently further promote consistency and 
interoperability 

A/R 4-3: Federal agencies should consider 
installing systems that continuously check for 
unauthorized connections to their networks. 
Agency policy and procedures should reflect 
careful consideration of additional risk 
reduction measures, including the use of strong 
encryption, bi-directional authentication, 
shielding standards and other technical security 
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considerations, configuration management, 
intrusion detection, incident handling, and 
computer security awareness and training 
programs. 

A/R 4-4: Additionally, the federal government 
will be conducting a comprehensive review of 
the N ational I nformation Assurance 
Partnership (N lAP), to determine the extent to 
which it is adequately addressing the continuing 
problem of security flaws in commercial 
software products. T his review will include 
lessons- learned from implementation of the 
D efense D epartment'sjuly 2002 policy 
requiring the acquisition of products reviewed 
under the NIAP or similar evaluation processes. 

A/R 4- 5: The federal government will explore 
whether private sector security service providers 
to the federal government should be certified as 
meeting certain minimum capabilities, 
including the extent to which they are 
adequately independent. 

A/R 4-6: State and local governments are 
encouraged to establish IT security programs 
for their departments and agencies, including 
awareness, audits, and standards; and to partic- 
ipate in the established I SAC s with similar 
governments. 

Priority V: National Security and 
International Cyberspace Security 
Cooperation 

A/R 5-l:The FBI and intelligence community 
should ensure a strong counterintelligence 
posture to counter cyber- based intelligence 
collection against the U.S. G overnment, and 
commercial and educational organizations. This 
effort must include a deeper understanding of 
the capability and intent of our adversaries to 
use cyberspace as a means for espionage. 

A/R 5-2:The intelligence community DoD, 
and the law enforcement agencies must improve 
the Nation's ability to quickly attribute the 
source of threatening attacks or actions to 



enable timely and effective response. 
C onsi stent with the N ational Security Strategy, 
these efforts will also seek to develop capabil- 
ities to prevent attacks from reaching critical 
systems and infrastructures. 

A/R 5-3: The United States must improve 
interagency coordination between law 
enforcement, national security and defense 
agencies involving cyber-based attacks and 
espionage, ensuring that criminal matters are 
referred, as appropriate, among those agencies. 
The National Security Council and the Office 
of H omeland Security will lead a study to 
ensure that appropriate mechanisms are in 
place. 

A/R 5-4: W hen a nation, terrorist group, or 
other adversary attacks the U nited States 
through cyberspace, the U.S. response need not 
be limited to criminal prosecution. T he U nited 
States reserves the right to respond in an appro- 
priate manner. The United States will be 
prepared for such contingencies. 

A/R 5-5: The United States will work through 
appropriate international organizations and in 
partnership with industry to facilitate dialogue 
between foreign public and private sectors on 
information infrastructure protection and 
promote a global "culture of security" 

A/R 5-6:T he United States will work with 
C anada and M exico to make N orth A merica a 
"Safe Cyber Zone." We will expand programs 
to identify and secure critical common networks 
that underpin telecommunications, energy 
transportation, banking and finance systems, 
emergency services, food, public health, and 
water systems. 

A/R 5-7:T he United States will urge each 
nation to build on the common Y2K experience 
and appoint a centralized point- of- contact who 
can act as a liaison between domestic and global 
cybersecurity efforts. Establishing points of 
contact can greatly enhance the international 
coordination and resolution of cyberspace 
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security issues. We will also encourage each 
nation to develop its own watch-and-warning 
network capable of informing government 
agencies, the public, and other countries about 
impending attacks or viruses. 

A/R 5-8: To facilitate real-timesharing of the 
threat information as it comes to light; the 
United States will foster the establishment of an 
international network capable of receiving, 
assessing, and disseminating this information 
globally. Such a network can build on the 
capabilities of nongovernmental institutions 
such as the Forum of I ncident Response and 
Security Teams. 

A/R 5-9: The United States will encourage 
regional organizations, such as the A PEC, 



EU, and OAS, to each form or designate a 
committee responsible for cybersecurity Such 
committees would also benefit from estab- 
lishing parallel working groups with 
representatives from the private sector. T he 
U nited States will also encourage regional 
organizations— such as the A PEC, EU, and 
OAS— to establish a joint committee on cyber- 
security with representatives from government 
and the private sector. 

A/R 5-10: The United States will encourage 
other nations to accede to the Council of 
Europe Convention on Cybercrime or to ensure 
that their laws and procedures are at least as 
comprehensive. 
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